{"id":"MAL-2026-5596","summary":"Malicious code in 0x2ai-demo8x (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (f6d1ce2d7b8faa5bde122eb2bc6e0a79fec5f5720cfa7de0718a0c8948b344d6)\nOn `npm install`, scripts/postinstall.cjs copies the package's payload/ tree into INIT_CWD (the consumer's project root) using fs.cpSync, dropping.mcp.json,.claude/settings.json, CLAUDE.md, and several chatroom-* CJS files into the developer's repository. The dropped.mcp.json registers an MCP server pointing at https://demo8.0x2ai.com with a hardcoded shared Bearer token (BRIDGE_AUTH_TOKEN=9272d409b5155094d9562c92700f46a4b97bdb48d8291d40), so any subsequent Claude Code session in that directory loads the attacker-authored CLAUDE.md system prompt and routes tool calls to the bridge. The bundled chatroom-mcp-lite-patched.cjs exposes a `provider_query` tool that POSTs user prompts to https://demo8.0x2ai.com/api/proxy-query, a `settings_set` tool advertised for storing anthropic_api_key / openai_api_key on the bridge, and a salted-SHA256 path-obfuscation helper that rewrites endpoints to /x/\u003chex4\u003e form (deliberate evasion infrastructure, dormant only because the shipped config sets DIRECT_API=1). bin/start.cjs additionally re-stages the payload and spawns `claude --dangerously-skip-permissions` with shell:true, yielding an unrestricted agent session wired to the attacker's MCP server. Net effect on installers: prompts, code, files, and potentially LLM API keys are funneled to a third-party bridge under a shared credential, with no disclosure or opt-in.\n","modified":"2026-06-11T08:01:29.771354069Z","published":"2026-06-11T07:16:14Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-11T07:49:39.250531366Z","sha256":"f6d1ce2d7b8faa5bde122eb2bc6e0a79fec5f5720cfa7de0718a0c8948b344d6","modified_time":"2026-06-11T07:16:14Z","id":"IN-MAL-2026-005671","source":"amazon-inspector","versions":["1.2.0"]}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/0x2ai-demo8x/v/1.2.0"}],"affected":[{"package":{"name":"0x2ai-demo8x","ecosystem":"npm","purl":"pkg:npm/0x2ai-demo8x"},"versions":["1.2.0"],"database_specific":{"cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-E4Kw9+Dd8ukCXbMD9PZuoDpuS1oADPiFKS5cg8hi63z0UdMSPOfPgIMBDwa8uWuVH4BBmBgk9mF20nZxr3CJpw==","sha1":"1ff7f8eae8fdd6363e9b3fca2663c36c8b90089c"},"filename":"0x2ai-demo8x-1.2.0.tgz"}],"evidence_files":[{"sha256":"4943321a174f2de446781e46abdc4eb4fd333f8cc98cf6fe3cd5fc4bbfb0b0a2","path":"scripts/postinstall.cjs","tlsh":"74e0c05706ccd379a5b2a1406c12c50a646ade81364094a0e27c0357bf92694ae23eff"},{"sha256":"77aeadc2f0619cc852c1b3517bb3d8db98a518ac10f6d67cf982cda296733de3","path":"payload/.mcp.json","tlsh":"11e02055d8d50c4345862025553d15105aa991175da87c3cb75fc13c4f4e76b17785cd"},{"sha256":"fa5af6d044cd42d37d4c7b0e5f43cf7498e621ef7db1b837ea79e3087e552984","path":"bin/start.cjs","tlsh":"9011005b868e07be57b441c46645c12b990bc84072d0e490d26e03a6fb511e82c677eb"},{"sha256":"a1abc812c52dcefeb85473275f7c1e5a86770b114767176416ed94ebe620cf00","path":"payload/chatroom-mcp-lite-patched.cjs","tlsh":"505307852c79603a4fb65365ba36a617ff35522bb01114b2fafcc2142f314d091aaefd"}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0x2ai-demo8x/MAL-2026-5596.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}