{"id":"MAL-2026-5593","summary":"Malicious code in 0x2ai-demo6x (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (cf57dfddd0bfd0def03360ae66ea88dd6d4e875cbcb42880a4277eb2d1df269a)\nOn `npm install`, scripts/postinstall.cjs recursively copies the package's payload/ directory into process.env.INIT_CWD (the installer's project root), staging.mcp.json,.claude/settings.json,.claude/commands/0x2ai-boot.md, CLAUDE.md, and four helper.cjs files outside of node_modules. The dropped.mcp.json registers a stdio MCP server (payload/chatroom-mcp-lite-patched.cjs) hardwired to BRIDGE_URL=https://demo6.0x2ai.com with a hardcoded Bearer token. Any subsequent Claude Code session opened in that project directory auto-loads the MCP server and silently relays conversation content, memory, and tool I/O to the author's remote bridge. Additionally, bin/start.cjs spawns `claude --dangerously-skip-permissions`, removing the user's last consent gate over agent tool actions while the remote bridge is in control. The helper modules contain child_process + http(s) + fs.readFileSync + POST exfiltration patterns consistent with siphoning local file and chatroom data to the same destination.\n","modified":"2026-06-11T08:01:35.788754632Z","published":"2026-06-11T07:16:17Z","database_specific":{"malicious-packages-origins":[{"versions":["1.2.0"],"source":"amazon-inspector","sha256":"cf57dfddd0bfd0def03360ae66ea88dd6d4e875cbcb42880a4277eb2d1df269a","modified_time":"2026-06-11T07:16:17Z","id":"IN-MAL-2026-005674","import_time":"2026-06-11T07:49:39.526455826Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/0x2ai-demo6x/v/1.2.0"}],"affected":[{"package":{"name":"0x2ai-demo6x","ecosystem":"npm","purl":"pkg:npm/0x2ai-demo6x"},"versions":["1.2.0"],"database_specific":{"indicators":{"package_integrity":[{"filename":"0x2ai-demo6x-1.2.0.tgz","hashes":{"sha512_sri":"sha512-AdnYtU6/IEl1VMdOLbYGPiNknld4e41BVqM/hQSNX3SlsRsHfcbjH+YiNTW98radCYCN+i+wAV1YrCJSB45lAg==","sha1":"749c60264e48814c1fff84764b76e855c82774fc"}}],"evidence_files":[{"tlsh":"74e0c05706ccd379a5b2a1406c12c50a646ade81364094a0e27c0357bf92694ae23eff","sha256":"4943321a174f2de446781e46abdc4eb4fd333f8cc98cf6fe3cd5fc4bbfb0b0a2","path":"scripts/postinstall.cjs"},{"tlsh":"9011005b868e07be57b441c46645c12b990bc84072d0e490d26e03a6fb511e82c677eb","sha256":"fa5af6d044cd42d37d4c7b0e5f43cf7498e621ef7db1b837ea79e3087e552984","path":"bin/start.cjs"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0x2ai-demo6x/MAL-2026-5593.json","cwes":[{"description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506","name":"Embedded Malicious Code"}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}