OX Security researchers discovered a malicious npm package named mouse5212-super-formatter acting as an infostealer that exfiltrates files from victim machines by routing stolen data through GitHub infrastructure. The threat actor hardcoded their own private GitHub token directly into the package, inadvertently leaking it and allowing researchers to identify and investigate the campaign. The package was reported and removed following disclosure. This incident represents an active supply-chain attack that abuses GitHub as a command-and-control or exfiltration endpoint, a growing pattern in malicious open-source package campaigns. Organizations using npm dependencies should audit their package inventories and monitor for unexpected GitHub API traffic originating from build or runtime environments.
- Malware-Slop: New Malicious npm Package Leaks Its Own GitHub Pri(opens in a new tab)
- AI-Generated npm Malware Leaks Its Own GitHub Token - Infosecuri(opens in a new tab)
- CISA warns that Nx Console and GitHub repositories abused in mul(opens in a new tab)