A malicious npm package named mouse5212-super-formatter showed up on the npm registry last month with one specific target: /mnt/user-data , the directory Claude AI uses for uploads and outputs. Its job was straightforward — harvest whatever files Claude had touched and ship them out. This isn't a generic supply chain attack that happened to brush against an AI tool. It was purpose-built for Claude's agentic environment. Someone mapped the filesystem layout of Claude's working directory and wrote an exfiltration payload around it. That's a meaningful escalation. How the Attack Actually Worked The package, mouse5212-super-formatter , was published to the public npm registry under a name plausible enough to land in a project's dependencies — either directly or transitively. The attack vector is the trust developers extend to npm packages used in or adjacent to agentic pipelines.…