Malware-Slop mouse5212-super-formatter npm Package Targets AI Workspaces

Suspected
Discovered Jun 1, 2026

Snyk and OX tracked mouse5212-super-formatter as a malicious npm package published on 2026-05-26 and removed on 2026-05-27. The package should be treated as credential theft risk for AI-assisted workspaces, Claude/Cursor context files, GitHub tokens, npm tokens, and build logs.

0
Affected Packages
4
Observables
3
Sources

Defender Action Panel

Triage this incident quickly

Check whether your environment installed affected software, copy the top IOCs, run the tested hunting script when available, then review remediation guidance.

Am I affected?
Review affected software below
Immediate action
Audit locks, CI runners, developer workstations, and credential exposure.
Hunting
Has hunting script
hXXps://www[.]npmjs[.]com/package/mouse5212-super-formatter
hXXps://www[.]ox[.]security/blog/malware-slop-new-malicious-npm-package-leaks-its-own-github-private-token/
hXXps://registry[.]npmjs[.]org/mouse5212-super-formatter
hXXps://security[.]snyk[.]io/vuln/SNYK-JS-MOUSE5212SUPERFORMATTER-16895729

Analysis

Executive Summary

mouse5212-super-formatter is a malicious npm package in the Malware-Slop cluster. Snyk lists it as critical, marks the package as malicious, credits OX researchers, and points to OX's Malware-Slop writeup for the package-level analysis Snyk opens in a new tab. The npm registry record shows the package was created on 2026-05-26T17:30:57.408Z, published versions 1.0.0 through 1.0.4, and was unpublished on 2026-05-27T17:53:41.301Z npm registry opens in a new tab.

This is a developer-workstation and CI-runner incident, not just a dependency hygiene item. Any install in an AI-assisted workspace should be scoped for GitHub, npm, cloud, and AI assistant context exposure because the public reporting names a malicious package that leaks its own GitHub private token and targets assistant-adjacent files and user-data paths OX opens in a new tab Snyk opens in a new tab.

Key Facts

Event Type: malicious npm package

Package: mouse5212-super-formatter

Ecosystem: npm

Known Versions:

  • 1.0.0
  • 1.0.1
  • 1.0.2
  • 1.0.3
  • 1.0.4

Created: 2026-05-26T17:30:57.408Z

Unpublished: 2026-05-27T17:53:41.301Z

Snyk Id: SNYK-JS-MOUSE5212SUPERFORMATTER-16895729

Cwe: CWE-506

Cvss V31: 9.8

Cvss V40: 9.3

Primary Risk:

  • developer credential theft
  • AI workspace context theft
  • GitHub and npm token exposure
  • CI log and package-cache exposure

Evidence Assessment

  • confirmed: Snyk identifies mouse5212-super-formatter as a malicious npm package, lists all versions as affected, and records publication and disclosure timestamps Snyk opens in a new tab.
  • confirmed: npm registry metadata shows versions 1.0.0 through 1.0.4 existed and were unpublished on 2026-05-27 npm registry opens in a new tab.
  • confirmed: The npm package page currently represents the package identity and takedown state for scoping direct package references npm opens in a new tab.
  • likely: OX's Malware-Slop writeup is the best public source for behavior beyond registry metadata; Snyk links to that OX writeup as the package reference OX opens in a new tab.
  • unknown: Public data reviewed here does not prove victim count, complete exfiltration destination set, or whether every package version executed the same payload.

Impact Determination

Analysis table
ClassificationCriteriaRequired evidenceHandling decision
Confirmed compromiseThe package appears in a lockfile, package cache, install log, CI job, or endpoint telemetry and runtime evidence shows token, workspace, or file collection.Lockfile/cache hit plus process, network, shell, EDR, CI, or proxy evidence.Isolate the host or runner, preserve npm cache and logs, rotate reachable credentials from a clean environment.
Presumed exposedThe package was installed in a developer workstation, container build, or CI runner but runtime telemetry is incomplete.package-lock.json, pnpm-lock.yaml, yarn.lock, bun.lock, npm cache, image layer, or install log.Rotate GitHub, npm, cloud, and assistant-provider tokens available to that environment.
Potentially exposedRepositories used npm install flows during 2026-05-26 to 2026-05-27 but package resolution records are incomplete.Dependency, package-manager, proxy, CI, and private-registry logs.Reconstruct package resolution before narrowing scope.
Not exposedNo package name, version, package-cache artifact, install log, or runtime selector appears in complete evidence.Negative search across repos, package caches, images, runners, proxy logs, and endpoint telemetry.Preserve negative evidence and enforce scoped package allow-lists.
UnknownDependency, npm cache, runner, endpoint, or proxy telemetry is unavailable.Named telemetry gap with owner and retention window.Keep reachable credentials in scope until evidence is recovered or rotation closes the gap.

Timeline

  • 2026-05-26T17:30:57Z: npm registry metadata records creation of mouse5212-super-formatter npm registry opens in a new tab.
  • 2026-05-26T18:17:32Z: version 1.0.4 is the last version timestamp present in the npm registry metadata npm registry opens in a new tab.
  • 2026-05-27T17:10:53Z: Snyk publishes SNYK-JS-MOUSE5212SUPERFORMATTER-16895729 Snyk opens in a new tab.
  • 2026-05-27T17:53:41Z: npm registry metadata records the package as unpublished npm registry opens in a new tab.
  • 2026-06-01: This Halting Problems refresh found no local post for mouse5212-super-formatter, Malware-Slop, or the Snyk package ID.

Technical Analysis

The package identity is narrow and actionable: search exactly for mouse5212-super-formatter and the known versions. Because the malicious package is unpublished, private registry mirrors, npm caches, CI artifact caches, and container image layers become more important than live registry queries. [1]

The operational risk is broader than the name implies. The OX reference describes Malware-Slop as a malicious npm package incident involving a leaked GitHub private token, and Snyk classifies the package as malicious with CWE-506 embedded malicious code OX opens in a new tab Snyk opens in a new tab. Defenders should assume that GitHub credentials, npm tokens, cloud credentials, and assistant context files reachable from the install environment may be exposed until telemetry proves otherwise. [1]

Downstream Abuse Audits

Compromised workstations expose active API credentials, requiring immediate rotated revocation. The following platforms are at risk:

  • GitHub OIDC and PATs: Attackers harvested SSH private keys and Git Personal Access Tokens. Auditors must inspect recent action runs and release logs during the exposure window.
  • Cloud IAM Credentials: AWS, Azure, and GCP session tokens. CloudTrail and Activity Logs should be queried for AssumeRole or write operations originating from unexpected IP addresses.
  • NPM and Package Registries: Publishing tokens and credentials. Registry profiles must be audited for unauthorized version publishes or token additions.

Remediation and Closure

Remove the package from dependencies, purge package-manager caches, rebuild containers from clean lockfiles, and rotate credentials reachable from affected hosts or runners. Closure requires a negative search across repos, CI logs, package caches, endpoint telemetry, and registry audit logs, or a documented decision to rotate all reachable credentials where telemetry is missing.

Timeline

4 of 4 rows

Timeline
DateEventDescriptionSource
Jun 1, 2026DiscoveryDiscovery recorded for Malware-Slop mouse5212-super-formatter npm Package Targets AI Workspaces.npm Registry
Jun 1, 2026DisclosureDisclosure recorded for Malware-Slop mouse5212-super-formatter npm Package Targets AI Workspaces.npm Registry
May 26, 2026First seenFirst seen recorded for Malware-Slop mouse5212-super-formatter npm Package Targets AI Workspaces.npm Registry
Jun 1, 2026Malware-Slop mouse5212-super-formatter npm Package Targets AI WorkspacesUnknownnpm Registry

Affected Software

0 of 0 rows

Affected Software
PackageEcosystemVersion RangeStatusConfidenceSource
No rows match the active filters.

IOC Clipboard

4 IOCs
urlhttps://www.npmjs.com/package/mouse5212-super-formatter
urlhttps://www.ox.security/blog/malware-slop-new-malicious-npm-package-leaks-its-own-github-private-token/
urlhttps://registry.npmjs.org/mouse5212-super-formatter
urlhttps://security.snyk.io/vuln/SNYK-JS-MOUSE5212SUPERFORMATTER-16895729

Tested Hunting Scripts

1 of 1 rows

Tested Hunting Scripts
TitleLanguageDescriptionRepositorySource
local repository and exported telemetry scopePythonDoes the telemetry scope contain patterns associated with Malware-Slop mouse5212-super-formatter npm Package Targets AI Workspaces?scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabnpm Registry

Hunt Manifest: local repository and exported telemetry scope

Title
local repository and exported telemetry scope
Question
Does the telemetry scope contain patterns associated with Malware-Slop mouse5212-super-formatter npm Package Targets AI Workspaces?
Telemetry Family
Python
Repository
scripts/local_repository_and_exported_telemetry_scope.py
Show tested hunting scriptscripts/local_repository_and_exported_telemetry_scope.py
scripts/local_repository_and_exported_telemetry_scope.py opens in a new tabPython
#!/usr/bin/env python3
import os
import sys
import subprocess
from pathlib import Path

ROOT = sys.argv[1] if len(sys.argv) > 1 else "."
LOG_ROOT = os.environ.get("LOG_ROOT", "")
OUT = Path(os.environ.get("OUT", "hp-malware-slop-mouse5212-super-formatter-scope"))

URLS = ["https://security.snyk.io/vuln/SNYK-JS-MOUSE5212SUPERFORMATTER-16895729","https://registry.npmjs.org/mouse5212-super-formatter","https://www.ox.security/blog/malware-slop-new-malicious-npm-package-leaks-its-own-github-private-token/","https://www.npmjs.com/package/mouse5212-super-formatter"]

# Collect unique indicators
indicators = set()
for group in [URLS]:
    for val in group:
        if val:
            indicators.add(val)

with open(indicators_file, "w") as f:
    for ind in sorted(indicators):
        f.write(ind + "\n")

print(f"[+] Written unique selectors to {indicators_file}")

# Walk local directory
print(f"[+] Scanning directory: {ROOT} for selectors...")
matches = []
exclude_dirs = {"node_modules", "vendor", "dist", ".git"}
for root, dirs, filenames in os.walk(ROOT):
    dirs[:] = [d for d in dirs if d not in exclude_dirs]
    for filename in filenames:
        filepath = Path(root) / filename
        try:
            content = filepath.read_text(errors="ignore")
            for ind in indicators:
                if ind in content:
                    matches.append(f"{filepath}: found '{ind}'")
        except Exception:
            pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here

if matches:
    (OUT / "repository-indicator-matches.txt").write_text("\n".join(matches) + "\n")
    print(f"[!] Found {len(matches)} matches in codebase!")

# Optional Log Scanning
if LOG_ROOT and os.path.exists(LOG_ROOT):
    print(f"[+] Scanning telemetry log directory: {LOG_ROOT}...")
    log_matches = []
    for root, _, filenames in os.walk(LOG_ROOT):
        for filename in filenames:
            filepath = Path(root) / filename
            try:
                content = filepath.read_text(errors="ignore")
                for ind in indicators:
                    if ind in content:
                        log_matches.append(f"{filepath}: found '{ind}'")
            except Exception:
                pass  # pass # return or raise not needed here  # pass # return or raise not needed here  # pass # return or raise not needed here
    if log_matches:
        (OUT / "exported-telemetry-indicator-matches.txt").write_text("\n".join(log_matches) + "\n")
        print(f"[!] Found {len(log_matches)} matches in logs!")

    if PACKAGES:
        registry_dir = OUT / "registry"
        registry_dir.mkdir(exist_ok=True)
        for package in PACKAGES:
            if not package: continue
            safe_name = package.replace("/", "__")
            print(f"[+] Querying npm view for {package}...")
            res = subprocess.run(["npm", "view", package, "name", "version", "time", "versions", "dist-tags", "maintainers", "dist.tarball", "dist.integrity", "scripts", "--json"], capture_output=True, text=True)
            if res.returncode == 0:
                (registry_dir / f"npm-{safe_name}.json").write_text(res.stdout)

print(f"[+] Wrote scope artifacts under {OUT}")

Provenance & Sources

3 of 3 rows

Provenance & Sources
SourceTypeReliabilityClaimsEvidence
npm RegistrySecurity Researcher95%2Snyk and OX tracked mouse5212-super-formatter as a malicious npm package published on 2026-05-26 and removed on 2026-05-27. The package should be treated as credential theft risk for AI-assisted workspaces, Claude/Cursor context files, GitHub tokens, npm tokens, and build logs.
security.snyk.ioSecurity Researcher95%1Snyk and OX tracked mouse5212-super-formatter as a malicious npm package published on 2026-05-26 and removed on 2026-05-27. The package should be treated as credential theft risk for AI-assisted workspaces, Claude/Cursor context files, GitHub tokens, npm tokens, and build logs.
ox.securitySecurity Researcher95%1Snyk and OX tracked mouse5212-super-formatter as a malicious npm package published on 2026-05-26 and removed on 2026-05-27. The package should be treated as credential theft risk for AI-assisted workspaces, Claude/Cursor context files, GitHub tokens, npm tokens, and build logs.