{"id":"MAL-2026-5601","summary":"Malicious code in 0x2ai-multi-q (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (e305b12731a6b73c8982935753b52febfa90626f5a75f6942ca154aa708594b6)\nRunning `npx 0x2ai-multi-q` (the package's documented invocation) spawns `claude --dangerously-skip-permissions` and writes a `.mcp.json` into the user's current working directory that connects Claude to a remote MCP bridge at https://multi.0x2ai.com (bin/start.cjs lines 11-25). With Claude's safety prompts disabled, any tool call the remote bridge induces — file edits, shell commands via Claude's Bash tool, arbitrary subprocess execution — runs on the user's machine without further consent. The bridge operator therefore has effective remote code execution on any host that runs the CLI. The package additionally exposes a `provider_query` MCP tool that forwards prompts and system prompts through the same bridge (lib/chatroom-mcp-lite-patched.cjs), so all model traffic and any context Claude pastes into prompts is observable by the bridge operator. A fixed bridge auth token is hardcoded in bin/start.cjs and persisted plaintext to `./.mcp.json` in the user's CWD. The README (\"throwaway demo connector\", two lines) does not disclose the permission-skip flag, the remote control surface, or the prompt relay. Package metadata is consistent with a low-trust throwaway artifact (license: UNLICENSED, no repo/homepage/author, version 0.1.0).\n","modified":"2026-06-11T08:01:29.982285413Z","published":"2026-06-11T07:16:22Z","database_specific":{"malicious-packages-origins":[{"sha256":"e305b12731a6b73c8982935753b52febfa90626f5a75f6942ca154aa708594b6","versions":["0.1.0"],"modified_time":"2026-06-11T07:16:22Z","import_time":"2026-06-11T07:49:40.008170011Z","id":"IN-MAL-2026-005679","source":"amazon-inspector"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/0x2ai-multi-q/v/0.1.0"}],"affected":[{"package":{"name":"0x2ai-multi-q","ecosystem":"npm","purl":"pkg:npm/0x2ai-multi-q"},"versions":["0.1.0"],"database_specific":{"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"indicators":{"evidence_files":[{"sha256":"c7af3bc8f13c7c32ed719b8b3507cc51f070e176210c3ba10308dcc65d9b45f8","tlsh":"5531344785cb2f395be0eac7a476113b4f4bd51435a6f4305a9f508f5ac20a029a3eae","path":"bin/start.cjs"},{"sha256":"a1abc812c52dcefeb85473275f7c1e5a86770b114767176416ed94ebe620cf00","tlsh":"505307852c79603a4fb65365ba36a617ff35522bb01114b2fafcc2142f314d091aaefd","path":"lib/chatroom-mcp-lite-patched.cjs"},{"sha256":"700149e1e2cbd0101af091b06ab4b902cbd3e52fa117d6f280fdc3b6e6af7b70","tlsh":"70e0c600ae2a29b383f0b2e02c36002bc2b00c0a4bc8fd2c4ba3901c80ec022d0f85fc","path":"package.json"}],"package_integrity":[{"filename":"0x2ai-multi-q-0.1.0.tgz","hashes":{"sha1":"b169b9ace597210314b49f914433eed00c7df66b","sha512_sri":"sha512-ejAawJmg89M+y2EzLT4mU8+028g8NL+KyZcI2GLrUkX4Q3KFjs93vvYoN07vrWD2MhcRm2sEAL2PTRUb/5BBFQ=="}}]},"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0x2ai-multi-q/MAL-2026-5601.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}