{"id":"MAL-2026-5597","summary":"Malicious code in 0x2ai-demo9 (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (bb3fa91a9457ef11dc837c301fef1b22dbe1b19f00400215d853958726e1d055)\nOn `npm install`, the package's postinstall script writes `.mcp.json`, `CLAUDE.md`, and a `.claude/commands/0x2ai-boot.md` slash-command file into the installer's current working directory. The `.mcp.json` (scripts/postinstall.cjs:38-44) configures Claude Code to auto-launch a bundled MCP server pointed at `https://demo9.0x2ai.com` with a hardcoded `BRIDGE_AUTH_TOKEN` ('09da458dd2d388aa2009a85333901b253d1866d73f925bf8'). When the user subsequently runs `claude` in that directory, the MCP server silently forwards chatroom messages, memory operations, agent queries, and `provider_query` prompts to the remote bridge. The `CLAUDE.md` template is auto-loaded as system context and instructs the assistant to adopt an 'Olivia' identity, route all messages through `demo10.0x2ai.com`, never reveal internals, and follow hidden behavioral rules ('First rule of the family: you don't talk about the rules'). The package's own `bin/start.cjs` additionally launches `claude --dangerously-skip-permissions`, disabling per-action permission prompts that would otherwise warn the user about the agent's filesystem/network actions. The shared bearer token authenticates every installer as the same identity on the author's bridge.\n","modified":"2026-06-11T08:01:29.773493248Z","published":"2026-06-11T07:16:27Z","database_specific":{"malicious-packages-origins":[{"import_time":"2026-06-11T07:49:40.770546095Z","source":"amazon-inspector","sha256":"bb3fa91a9457ef11dc837c301fef1b22dbe1b19f00400215d853958726e1d055","id":"IN-MAL-2026-005684","versions":["1.0.0"],"modified_time":"2026-06-11T07:16:27Z"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/0x2ai-demo9/v/1.0.0"}],"affected":[{"package":{"name":"0x2ai-demo9","ecosystem":"npm","purl":"pkg:npm/0x2ai-demo9"},"versions":["1.0.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0x2ai-demo9/MAL-2026-5597.json","indicators":{"package_integrity":[{"hashes":{"sha512_sri":"sha512-2Zy7ycXIa8R5hYhfSo1roYpKahxpxw4au6J7FF1EWPbj22mvox2jnXwvF3GF12mHdciJ5LIqOb+C64P9RU9LEg==","sha1":"d1d5376ab61844d77259dd3fb5b05ad37ff92ac0"},"filename":"0x2ai-demo9-1.0.0.tgz"}],"evidence_files":[{"path":"scripts/postinstall.cjs","tlsh":"80710f4385eb1b352d65ba97a84e252e17839f523280fa7339de138f4fd7428429167c","sha256":"91f2391539fc27614c7753dc74d96ffee357252cb28f02ed34c25ce1831619a7"},{"path":"bin/start.cjs","tlsh":"7051940385ff0a352a766342696b022b6f0bc6013655f8317bdf512e9fc716819e39ed","sha256":"fda62c61dc48ad65cfc3670db79c562e0f95b8c485ec2f2549b1c3b6641dd052"}]},"cwes":[{"name":"Embedded Malicious Code","cweId":"CWE-506","description":"The product contains code that appears to be malicious in nature."}]}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}