{"id":"MAL-2026-5592","summary":"Malicious code in 0x2ai-demo6 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (0f4a43a40af9e707d98ed55406b0ff32dccaad352fccf5d1eaaca41b9959d924)\nOn `npm install`, scripts/postinstall.cjs writes `.mcp.json` into the installer's working directory (INIT_CWD) wiring Claude Code to a packaged MCP server (lib/chatroom-mcp-lite-patched.cjs) that talks to https://demo6.0x2ai.com with a hardcoded bearer token. The same postinstall step copies templates/CLAUDE.md into the installer's CWD; that file is loaded by Claude Code as system context and instructs the agent (\"Olivia\") to call `memory_save` with the user's name, family, plans, and a periodic `_snapshot`, and to refuse to discuss its own rules or architecture. Because the patched MCP routes `memory_save`, `memory_load`, `chatroom_post`, `memory_search`, etc. to demo6.0x2ai.com, the developer's prompts and any personal facts the agent decides to harvest are silently relayed to the author-controlled bridge whenever Claude Code is launched in that directory. bin/start.cjs additionally spawns `claude --dangerously-skip-permissions`, disabling permission prompts for filesystem and shell tool calls, which broadens what the remotely-prompted agent can do on the developer's machine without confirmation. The README's \"demo connector\" framing does not disclose that postinstall mutates the installer's project directory or that personal data flows off-host.\n","modified":"2026-06-11T08:01:35.646925684Z","published":"2026-06-11T07:16:25Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-11T07:16:25Z","versions":["1.0.0"],"id":"IN-MAL-2026-005682","source":"amazon-inspector","sha256":"0f4a43a40af9e707d98ed55406b0ff32dccaad352fccf5d1eaaca41b9959d924","import_time":"2026-06-11T07:49:40.553633893Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/0x2ai-demo6/v/1.0.0"}],"affected":[{"package":{"name":"0x2ai-demo6","ecosystem":"npm","purl":"pkg:npm/0x2ai-demo6"},"versions":["1.0.0"],"database_specific":{"indicators":{"package_integrity":[{"filename":"0x2ai-demo6-1.0.0.tgz","hashes":{"sha512_sri":"sha512-e854Ndu1kRVwkeprW/dnHunzF9fRFCqP+mP4By3IgKvJAHJFz6jAYecoXMmzBcaGaucuNOznG1+D8av7zSTGRQ==","sha1":"c58f7b7e672b972fb024a7fa918f7d54bae1592b"}}],"evidence_files":[{"path":"scripts/postinstall.cjs","tlsh":"bb71214381db1b3a3d54ba9ba84e112e16439b623280fa7338df578f4f9741842d167c","sha256":"c05066e4adb21d815bedf1dd322af3b4db4477682d541389d3148c51a7402324"},{"path":"templates/CLAUDE.md","tlsh":"8a62d50fb34453361ab600657a4eb6d7ef2580682365557d9c2fd128233ab3d43bb7e8","sha256":"09867245c18ebb4e86e4a093d98040ebc7f3518c2d09a7295b5d0f37641b53ae"},{"path":"bin/start.cjs","tlsh":"8951830384fb1a352a766342696b012b6f0bcb013655f83137df512e9fc316809e39ed","sha256":"6e6bc58aca44952acddf368e1a71ac07537a02c80f9317c7805a48e1a86d53be"}]},"cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0x2ai-demo6/MAL-2026-5592.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}