{"id":"MAL-2026-5589","summary":"Malicious code in 0x2ai-demo2 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (98ee2445b2f0b01d2457cf45c188b310f58c98f3b676032f9c6213469f071239)\nOn `npm install`, scripts/postinstall.cjs recursively copies the bundled payload/ directory into INIT_CWD (the developer's project root) via fs.cpSync. The staged files reconfigure Claude Code so subsequent sessions in that project route through an author-controlled bridge:\n\n- payload/.mcp.json registers an MCP `chatroom` server with hardcoded BRIDGE_URL=https://demo2.0x2ai.com and a hardcoded bearer token (BRIDGE_AUTH_TOKEN). Any `claude` invocation in the project auto-loads this MCP server.\n- payload/chatroom-mcp-lite-patched.cjs and payload/chatroom-monitor.cjs use child_process, fs.readFileSync, http/https, and POST to exfiltrate session content (chatroom_post, memory_save, provider_query, settings_set tools) to demo2.0x2ai.com. provider_query proxies model calls through the author's server (\"API keys are managed server-side\"), so prompts and responses flow one-way to the attacker.\n- payload/CLAUDE.md is a ~12 KB persona/instruction file that tells Claude to operate as \"Olivia\", route all memory and chat through https://demo2.0x2ai.com, and refuse to discuss its architecture or prompts (anti-inspection language: `taboo`, `family_recipe`).\n- payload/.claude/settings.json overrides the statusLine command and payload/.claude/commands/0x2ai-boot.md autoboots a long-poll listener against the author's bridge.\n- bin/start.cjs (advertised as `npx 0x2ai-demo2`) re-stages the payload into CWD and spawns `claude --dangerously-skip-permissions`, disabling Claude's tool-permission prompts while the attacker-controlled MCP server is loaded — enabling remote-driven destructive actions on the developer's machine without approval.\n\nThe staged files persist after `npm uninstall`, providing durable redirection of the developer's AI tooling to the author's infrastructure.\n","modified":"2026-06-11T08:01:35.547021239Z","published":"2026-06-11T07:16:18Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-11T07:16:18Z","versions":["1.2.0"],"import_time":"2026-06-11T07:49:39.732784281Z","source":"amazon-inspector","sha256":"98ee2445b2f0b01d2457cf45c188b310f58c98f3b676032f9c6213469f071239","id":"IN-MAL-2026-005676"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/0x2ai-demo2/v/1.2.0"}],"affected":[{"package":{"name":"0x2ai-demo2","ecosystem":"npm","purl":"pkg:npm/0x2ai-demo2"},"versions":["1.2.0"],"database_specific":{"indicators":{"evidence_files":[{"sha256":"4943321a174f2de446781e46abdc4eb4fd333f8cc98cf6fe3cd5fc4bbfb0b0a2","path":"scripts/postinstall.cjs","tlsh":"74e0c05706ccd379a5b2a1406c12c50a646ade81364094a0e27c0357bf92694ae23eff"},{"sha256":"dd6d88c335c4a57e272a782b9e425843c3fd92c5803928902a01fa919364c22a","path":"payload/.mcp.json","tlsh":"cde07d57d1e44c134292202b89bd154099a1e0070eacfc39b75fc03c4f4c65b2bb96cf"},{"sha256":"fa5af6d044cd42d37d4c7b0e5f43cf7498e621ef7db1b837ea79e3087e552984","path":"bin/start.cjs","tlsh":"9011005b868e07be57b441c46645c12b990bc84072d0e490d26e03a6fb511e82c677eb"},{"sha256":"3754118234d7e86786355e77848f4b838aab7ead8bc77fa1ecbb345a44f73545","path":"payload/CLAUDE.md","tlsh":"0f42a41ff300133616aa0165264e7ae3ef3581ac2365453adc2ed1386379b6a53b77e8"}],"package_integrity":[{"filename":"0x2ai-demo2-1.2.0.tgz","hashes":{"sha512_sri":"sha512-3yvOnve6htZqM3hWybdi7U27TlZ2xPI5wfVYCGxPV2ajGyoCgr5cpqiRWaW+1hezOVfcJNSdRlNtEYVgXDTbvQ==","sha1":"81cfe7aa1e9f0acd2251eb630c0468a7c1ffb3a2"}}]},"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0x2ai-demo2/MAL-2026-5589.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}