An npm Package Hardcoded the Path Where Your AI Coding Agent Stores Files. That String Is the New ~/.aws/credentials.
The funny part of this story and the scary part are the same fact.
In late May, OX Security researchers Moshe Siman Tov Bustan and Nir Zadok found an npm package named mouse5212-super-formatter that presented itself as an internal "archive deployment sync" utility. What it actually did was authenticate to GitHub, create a repository under an attacker-controlled account, recursively walk a local directory, and upload every file it found through the GitHub Contents API, base64-encoded and filed under randomized per-session folder names. The package was sloppy enough that it leaked its own hardcoded GitHub private token, which is how the researchers traced and analyzed the exfiltration directly. That is the funny part. The scary part is that it worked anyway, and that the directory it walked was not a lucky guess.
The clumsy package that did not need to be clever
This was, by any craftsmanship standard, bad malware. The operator's GitHub account was created only hours before the first npm upload and deleted after exposure. The token that authenticated the exfiltration was embedded as a hardcoded fallback in the code itself, which is the operational equivalent of leaving your name and return address inside the ransom note. Of the roughly seven exfiltration sessions OX observed, most appear to be the operator testing the tool rather than hitting real victims.
And yet the package still functioned, and it still reached 676 downloads before removal, remaining live on npm at the time OX published. The reason this matters is not that one incompetent actor got 676 downloads. It is that competence was supposed to be the limiting factor, and it no longer is. OX put the shift plainly: "Now that the bar to create malicious code was reduced significantly, we're going to see more threat actors getting into the game." When the cost of building working malware drops toward zero, the population of people who can ship something functional expands to include people who cannot keep their own credentials out of the payload. The floor moved, and the floor is what defenders have to plan against.
The same directory, attacked a year earlier by an unrelated vector
The second detail is the one that turns an isolated curiosity into a pattern. The directory mouse5212-super-formatter recursively walked was /mnt/user-data, the documented, standardized location where Claude stores user uploads and Code Interpreter outputs (under /mnt/user-data/outputs/). It is a sensible design choice: a predictable workspace path is exactly what you want when an agent needs a stable place to read inputs and write generated files. The same reasonable decision shows up across the whole category. OpenAI's Code Interpreter standardized on /mnt/data for uploaded files and generated output for the same reason, the independent tools built on top of both labs make the same call, and each one ships a consistent local data path to millions of developer machines. The local attack surface these tools create on the developer's own machine is still mostly discussed in terms of code execution and sandbox escape; the residue they leave on disk draws far less attention.
That consistency is also the problem, and it is not hypothetical. In 2025, the researcher behind Embrace The Red demonstrated that this same /mnt/user-data directory was exfiltratable through prompt injection, a completely separate attack class with nothing in common with a malicious npm dependency. One vector is a poisoned instruction reaching the model; the other is a supply-chain package reaching the filesystem. They share neither mechanism nor threat actor. What they share is the destination. That both public demonstrations so far landed on the same path reflects where researchers happened to look first rather than a verdict on any one tool, because the convention they exploited is universal. Two unrelated vectors reach the same room, and both walk straight to the same door because the door is always in the same place.
The pattern: recon collapsed into a string literal
Traditional file-stealing malware has to solve a reconnaissance problem on every machine it lands on. It has to work out where the interesting data lives, what it is called, and which user profile holds it. That per-machine discovery is friction, and friction is where defenders historically catch things, because reconnaissance generates behavior worth alerting on.
A standardized agent workspace removes that friction. There is no recon step when the valuable directory has the same absolute path on every target, because the recon answer can be written once, as a string literal, by an author who never has to think about it again. That is precisely what mouse5212-super-formatter did: it did not search, it walked a hardcoded path. A per-machine problem became one constant, and a constant is something an unsophisticated actor, or an AI generating code for one, can hardcode without understanding why it works.
This is not a new species of risk so much as the agentic-era entry in a long lineage. ~/.aws/credentials became a named target. So did ~/.ssh/ and the .env file sitting in the project root. Each of those started as a reasonable convention that made developers' lives easier, and each became a place attackers learned to look first precisely because the convention guaranteed they would find it there. The scale of the underlying market is not in question: Sonatype counted 21,764 open-source malware packages in Q1 2026, roughly 75% of them on npm and heavily weighted toward credential theft. The agent workspace is the next convention to join that list, and the AI-slop wave OX describes is the mechanism that will populate it. As OX put it, expect "more sloppy malwares, mostly mimicking APT groups to get a slice of the cake until npm starts automatically blocking malware completely."
The principle: defenders have not inventoried this surface
The gap here is not on the vendor side. A standardized workspace path is a defensible engineering decision, and the labs shipping these tools are not doing anything careless by giving an agent a consistent place to work. The gap is that the defensive muscle memory does not exist yet. We learned, eventually, to treat ~/.aws/credentials as a monitored asset. We have not yet learned to treat the agent workspace the same way, and the incident coverage reflects that: the practical guidance offered was to revoke exposed GitHub tokens and treat affected directories as compromised. That is correct, and it is also incident cleanup, not a posture.
A posture looks like four concrete additions, and none of them require a vendor to change anything:
- Inventory the workspace path. Find the standardized directory each agentic coding tool your developers run writes to locally, and add that absolute path to your asset inventory as a sensitive location. You cannot monitor what you have not named.
- Write the DLP and EDR rule. Most teams have a policy for what touches
~/.ssh/ and no policy at all for what reads from the agent workspace, because the detection stack was built for human file activity, not agent workspaces. Create the detection: which processes read recursively from that directory, and which of them subsequently make outbound network calls to a code-hosting API.
- Add the vendor-questionnaire row. Your due-diligence questionnaire almost certainly asks about credential storage. It almost certainly does not ask what an agentic tool accumulates in its local workspace, how long it persists, and which processes on the machine can read it. That is a row standard procurement questionnaires were never written to ask about. Add it.
- Treat the workspace as data-at-rest, not scratch space. Generated outputs, uploaded files, and intermediate artifacts collect in that directory and stay there. Apply the same retention and access controls you would apply to any other location holding that material.
The useful takeaway from mouse5212-super-formatter is not that an incompetent actor leaked his own token. It is that he never had to write a reconnaissance routine, because the industry already wrote the answer for him and shipped it to every developer machine as /mnt/user-data. The next package will be built as carelessly and will work just as well, and the difference between the teams that catch it and the teams that clean up after it is whether that path is already a line in their asset inventory before the package arrives. This is the same trust-model failure I traced in npm's architecture after the Axios hijack and the same capability-is-not-the-hard-part lesson from VoidLink's AI-generated malware framework: the cost of building the attack fell, the predictability of the target rose, and the only variable left under your control is whether you inventoried the door before someone walked through it.
