A malicious npm package, "mouse5212-super-formatter", was designed to steal sensitive information from Claude users, garnering 676 downloads before its removal. The attacker's coding mistake, however, proved to be their downfall, as they inadvertently leaked their own GitHub private token. This error allowed OX Security researchers to track the stolen files and analyze the malware, ultimately issuing a warning about the potential for more threat actors to upload similar sloppy malware1. The fact that the malware was AI-generated and attempted to mimic advanced persistent threat groups suggests a growing trend of threat actors attempting to capitalize on the popularity of platforms like npm. The implications of this incident extend beyond the immediate target, as state-aligned threat activity can raise the stakes from mere criminal activity to geopolitical concerns. This incident matters to practitioners because it highlights the need for increased vigilance and automated malware blocking to prevent similar attacks.