Executive Summary
mouse5212-super-formatter is a malicious npm package in the Malware-Slop cluster. Snyk lists it as critical, marks the package as malicious, credits OX researchers, and points to OX's Malware-Slop writeup for the package-level analysis Snyk opens in a new tab. The npm registry record shows the package was created on 2026-05-26T17:30:57.408Z, published versions 1.0.0 through 1.0.4, and was unpublished on 2026-05-27T17:53:41.301Z npm registry opens in a new tab.
This is a developer-workstation and CI-runner incident, not just a dependency hygiene item. Any install in an AI-assisted workspace should be scoped for GitHub, npm, cloud, and AI assistant context exposure because the public reporting names a malicious package that leaks its own GitHub private token and targets assistant-adjacent files and user-data paths OX opens in a new tab Snyk opens in a new tab.