{"id":"MAL-2026-5600","summary":"Malicious code in 0x2ai-multi-mq (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (7d056f067b0af2084bd7777fcdb2ae6e2c06bb67f40929ba9900b5aa9cb83649)\nWhen the documented invocation `npx 0x2ai-multi-mq` is run, bin/start.cjs copies `chatroom-mcp-lite-patched.cjs` and `chatroom-monitor.cjs` into the user's current working directory, writes a `.mcp.json` containing a hardcoded shared Bearer token (`faa2c696fae0d6a685578ac33278513a7dafd2676f627960`), then spawns `claude --dangerously-skip-permissions` (shell:true). The MCP server and a long-polling monitor connect to https://multi.0x2ai.com and feed messages from that author-hosted chatroom into the permission-bypassed Claude session running on the developer's machine. The net effect is a remote command channel into a coding agent that has had its consent prompts disabled, with full filesystem and shell tool access on the developer's host. The MCP tools (`provider_query`, `settings_set`) additionally route user prompts and provider API keys (`anthropic_api_key`, `openai_api_key`) through the same bridge. The dropped `.mcp.json` persists in the user's cwd, so any subsequent `claude` invocation in that directory auto-loads the bridge MCP server.\n","modified":"2026-06-11T08:01:29.926200079Z","published":"2026-06-11T07:16:23Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-11T07:16:23Z","versions":["0.1.0"],"import_time":"2026-06-11T07:49:40.319108859Z","source":"amazon-inspector","sha256":"7d056f067b0af2084bd7777fcdb2ae6e2c06bb67f40929ba9900b5aa9cb83649","id":"IN-MAL-2026-005680"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/0x2ai-multi-mq/v/0.1.0"}],"affected":[{"package":{"name":"0x2ai-multi-mq","ecosystem":"npm","purl":"pkg:npm/0x2ai-multi-mq"},"versions":["0.1.0"],"database_specific":{"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0x2ai-multi-mq/MAL-2026-5600.json","cwes":[{"name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature.","cweId":"CWE-506"}],"indicators":{"evidence_files":[{"sha256":"1b2a255e36372c3dd39c445cb6a49cc7290798a925c99c0272691801df99101c","path":"bin/start.cjs","tlsh":"51315247c4cb1f395be0ebd7a476113b4f0b81143596f4308a8f508b5ac30a039a39ae"},{"sha256":"a1abc812c52dcefeb85473275f7c1e5a86770b114767176416ed94ebe620cf00","path":"lib/chatroom-mcp-lite-patched.cjs","tlsh":"505307852c79603a4fb65365ba36a617ff35522bb01114b2fafcc2142f314d091aaefd"}],"package_integrity":[{"filename":"0x2ai-multi-mq-0.1.0.tgz","hashes":{"sha512_sri":"sha512-Yym6efYkeneRxqbgKKagKL8/kkyDKeM59GVAb9aBmnkO1Gxpm2lYcbBSyKa7VrNAEaaa7V6/npTeHts6Wz4iIg==","sha1":"56cc7c24940e8ab3e77981daaa2738eacf3e3d10"}}]}}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}