// Alert

GitHub threat report

// GitHubMEDIUM

OX Security researchers discovered a malicious npm package named mouse5212-super-formatter acting as an infostealer that exfiltrates files from victim machines by routing stolen data through GitHub infrastructure. The threat actor hardcoded their own private GitHub token directly into the package, inadvertently leaking it and allowing researchers to identify and investigate the campaign. The package was reported and removed following disclosure. This incident represents an active supply-chain attack that abuses GitHub as a command-and-control or exfiltration endpoint, a growing pattern in malicious open-source package campaigns. Organizations using npm dependencies should audit their package inventories and monitor for unexpected GitHub API traffic originating from build or runtime environments.

// Get alerts for GitHub