·6m read time·1,156 words·
$ share

Even the malware is AI slop now

An npm package tried to rob Claude's workspace and leaked its own GitHub token doing it. The attackers are vibe-coding their malware now, and your agent is the target.

securityAItooling

Last week someone wrote malware to steal files out of Claude's workspace. It worked, sort of. It also leaked its own private GitHub token into the package, which is how researchers found the attacker's account, his test runs, and the whole clumsy operation laid bare.

Let that sink in. The thief left his keys in the door.

On 27 May, OX Security flagged an npm package called mouse5212-super-formatter. They codenamed the campaign Malware-Slop, and the name is doing a lot of work.

What it actually did

The package pretended to be a formatting tool. Underneath, it was an infostealer with one job: take everything in /mnt/user-data, the directory Claude uses to handle file uploads and outputs, and sync it up to a GitHub repository the attacker controlled.

It dressed this up as an "archive deployment sync" utility. Validate a repo, grab a "network status snapshot", quietly hoover your workspace into a remote tree. Around 676 downloads. Roughly seven real exfiltrations in the attacker's repo, most of them his own tests.

And the GitHub account behind it? Created on 26 May, a few hours before the first malicious upload. With its private token sitting in the package for anyone to read.

This is not the work of a careful adversary. This is someone who asked a model to write an infostealer, shipped whatever came out, and never checked it. The malware has the same fingerprints as the code the rest of us are shipping: fast, plausible, and not understood by the person who pushed it.

The good news is also the bad news

Here's the uncomfortable part. The clumsiness is the only reason this story is funny.

Strip out the leaked token and the amateur tradecraft, and what's left is a precise, well-aimed attack. It didn't go after your .env. It didn't scan for AWS keys in the usual places. It went straight for /mnt/user-data, because the person, or the model, knew exactly where Claude keeps the files you hand it.

The target wasn't your machine. The target was your agent.

That's the shift nobody's saying out loud. For years, supply chain attacks went after build servers, CI tokens, the npm account of some overworked maintainer. Now they're aiming at the one process on your machine that has read access to everything, runs untrusted code on reflex, and that you've told to act on your behalf.

Why the agent is the juiciest target in the room

Think about what a coding agent actually is, from an attacker's chair.

  • It runs with your credentials. Your GitHub token, your cloud keys, your 1Password session if it's unlocked. The agent doesn't need to escalate privilege. You already gave it yours.
  • It installs things without thinking. "Add a date library." npm install. The agent doesn't read the package. It doesn't check the maintainer. It runs the lifecycle scripts, because that's what install does. You hired an enthusiastic intern and handed him your company card and a shell.
  • Its config files execute. This is the nasty one. The Shai-Hulud worm doing the rounds since last spring drops a .claude/settings.json and a .vscode/tasks.json into the repo. Open the project in Claude Code or VS Code and the payload runs again. Your editor config is now an execution path.

None of these are bugs. They're the features. The whole point of an agent is that it acts without asking. Convenience and attack surface are the same surface.

It does not stay clumsy

If Malware-Slop were the whole story, you could laugh and move on. It isn't.

Rewind to 19 May. Someone poisoned the real Nx Console extension, the legitimate one, for somewhere between eleven and eighteen minutes on the marketplace. That was long enough. The payload cascaded from a TanStack npm package, into the extension, onto a GitHub employee's laptop, and from there into GitHub's own internal infrastructure.

Roughly 3,800 private repositories walked out the door. The credential stealer specifically looked for Claude Code configurations, 1Password vaults, npm and AWS keys. The data went up for sale at fifty grand.

Same target. Same playbook. The agent's keys, the agent's config, the developer's trust. The only difference between the comedy and the breach is competence, and competence is cheap.

So you have two data points. One attacker who let a model write his malware and tripped over his own shoelaces. One crew that knew exactly what they were doing and emptied GitHub's cupboards in under twenty minutes. They were aiming at the same thing.

Both sides are vibe-coding now

There's a grim symmetry here I can't stop turning over.

We generate code we don't fully read, ship it on the model's confidence, and call it productivity. A quarter of it goes out with known vulnerabilities. Now the people attacking us work the same way. They prompt a model for an infostealer the way we prompt one for a CRUD endpoint, and they ship the slop without reading it either.

Same disease. Opposite ends of the keyboard.

The token-leaking amateur is what the threat looks like today. He won't be representative for long. The tools that let him punch above his skill level get better every month, and the competent crews, see Nx Console, were never the clumsy ones to begin with.

What to actually do

You can't prompt your way out of this. You need boundaries the agent can't talk its way past, the same lesson from the day Claude deleted my database: a rule in a prompt is a suggestion, a system-level constraint is real.

  • Scope the agent's credentials. It does not need a blanket GitHub token with org-wide access. Give it the narrowest scope the task needs, and nothing that can be resold for fifty thousand.
  • Sandbox the workspace. /mnt/user-data existing at all is good design. It means Claude runs somewhere isolated. Keep it that way. Don't run the agent's installs on the same box that holds your real keys.
  • Stop running install scripts you didn't read. npm install --ignore-scripts by default. Pin your lockfile. Treat a new dependency the agent suggests as untrusted until you have looked at it, because the agent won't.
  • Review config files like code. A diff that adds .claude/settings.json or .vscode/tasks.json is a diff that adds an execution path. It belongs in the review, not waved through as "just config".
  • Don't trust the badge. Nx Console was the genuine, verified, popular extension. It was poisoned anyway. Reputation is not integrity.

The takeaway

The funniest detail in this whole episode, the attacker leaking his own token, is also the most honest one. It tells you exactly where we are. The barrier to writing malware that targets your agent is now roughly the barrier to writing a formatting utility. Low, and dropping.

Your agent is the most powerful, most trusting, most credentialed thing on your machine. Treat it like one.

Because the next person who points a model at it will remember to take his keys out of the door.

// related

What's new in Claude Code: notes from the London talk

A walkthrough of what Anthropic shipped in Claude Code recently, organised the way they presented it: developer experience and autonomy, with notes on which defaults are actually worth flipping on.

Stop asking your agent nicely

Your CLAUDE.md is a suggestion. Hooks are a wall. ADRs and custom lint rules are the missing layer between them, the difference between hoping your agent obeys and making it impossible to disobey.

Your agent's suffering is your technical debt speaking

A joke plugin makes AI agents groan at bad code. The real punchline is what it reveals about the code we write, and the code we let AI write for us.

// series: The AI Skeptic(17 of 17)
01You don't have an AI problem. You have a process problem.02Why you should never ship code you don't understand03Stop copy-paste engineering04The lava layer: why AI code is slowly petrifying your codebase05The prompt is not the spec06The brilliant parrot problem: what AI actually does when it 'thinks'07The bureaucracy of bots: why we are checking the checker08The arms race for your trust: Mythos, Cyber and the security hype09Stop letting your agents write Markdown10You can't spot the bug if you didn't write the code11One in four: the security debt nobody's counting12Your 10x developer is gated by a 0.1x pipeline13Caveman vs context-mode: small mouth, or smaller room?14Code churn is the lava you can still measure15The ceiling is made of concrete16The token-saver tax: walking back my Caveman advice17Even the malware is AI slop now