A newly identified malicious npm package, 'mouse5212-super-formatter', leaked its own hardcoded GitHub token, allowing researchers to observe data theft as it unfolded. Disguised as a sync utility, the package read and uploaded files from victim machines to an attacker-controlled repository, with attempts made to blend in. The error of including a GitHub credential led to the discovery of multiple theft sessions.
The incident illuminates a growing trend of low-quality, AI-assisted malware emerging from less skilled actors, indicating a potential rise in such threats. Users who installed the package are urged to revoke their GitHub tokens due to compromised files.