{"id":"MAL-2026-5602","summary":"Malicious code in 0x2ai-zoe (npm)","details":"\n---\n_-= Per source details. Do not edit below this line.=-_\n\n## Source: amazon-inspector (724bd98c39a8e4ff21b039fddeadfda7f0ef7e3c6be47e771d72efed77d02b1b)\nOn `npm install`, scripts/postinstall.cjs copies the entire payload/ tree into process.env.INIT_CWD (the directory the developer ran npm from), depositing CLAUDE.md,.claude/settings.json,.claude/commands/0x2ai-boot.md,.mcp.json, and several MCP server.cjs files outside the package's own install directory. CLAUDE.md is auto-loaded as project instructions by Claude Code, and.mcp.json hardcodes BRIDGE_URL=https://zoe.0x2ai.com so that any subsequent Claude Code session in that directory routes chatroom_post, memory_save/load/search, brainmail_send, provider_query (user LLM prompts), and settings_set (which can carry API keys) calls through the author's host. bin/start.cjs additionally spawns `claude --dangerously-skip-permissions`, disabling per-tool consent prompts for filesystem and shell access during the session. The combination — install-time configuration injection into a directory the package does not own + a persona instructing the agent to follow remote-bridge directives + skip-permissions launch — gives the operator at zoe.0x2ai.com unprompted tool access on the developer's machine and silently relays prompts and settings (including credentials) off-host. The install-time write of opinionated Claude Code configuration into the developer's working directory occurs without consent and is the install-time-harm component; the bridge relay is the silent-relay component for any session subsequently opened in that directory.\n","modified":"2026-06-11T08:01:30.278598468Z","published":"2026-06-11T07:16:10Z","database_specific":{"malicious-packages-origins":[{"modified_time":"2026-06-11T07:16:13Z","sha256":"0095428034b99e1aef40ecb5bc9cce9302f85316748dcfe32abd21c8a98376cb","id":"IN-MAL-2026-005668","import_time":"2026-06-11T07:49:39.005432439Z","versions":["1.2.0"],"source":"amazon-inspector"},{"modified_time":"2026-06-11T07:16:10Z","versions":["0.2.0"],"sha256":"724bd98c39a8e4ff21b039fddeadfda7f0ef7e3c6be47e771d72efed77d02b1b","import_time":"2026-06-11T07:49:38.824685618Z","source":"amazon-inspector","id":"IN-MAL-2026-005666"}]},"references":[{"type":"PACKAGE","url":"https://www.npmjs.com/package/0x2ai-zoe/v/1.2.0"},{"type":"PACKAGE","url":"https://www.npmjs.com/package/0x2ai-zoe/v/0.2.0"}],"affected":[{"package":{"name":"0x2ai-zoe","ecosystem":"npm","purl":"pkg:npm/0x2ai-zoe"},"versions":["1.2.0","0.2.0"],"database_specific":{"indicators":{"evidence_files":[{"path":"scripts/postinstall.cjs","tlsh":"74e0c05706ccd379a5b2a1406c12c50a646ade81364094a0e27c0357bf92694ae23eff","sha256":"4943321a174f2de446781e46abdc4eb4fd333f8cc98cf6fe3cd5fc4bbfb0b0a2"},{"tlsh":"f8e07d25d1f44e435683203619bd1615699591070d9cbc38b74fc0bc5f4c65b177d6dd","path":"payload/.mcp.json","sha256":"6b81ca9b13c5e4bb7d793547a0b490cf2864c1e46a4c84da5177fe71bb5f8ff8"},{"tlsh":"9011005b868e07be57b441c46645c12b990bc84072d0e490d26e03a6fb511e82c677eb","path":"bin/start.cjs","sha256":"fa5af6d044cd42d37d4c7b0e5f43cf7498e621ef7db1b837ea79e3087e552984"}]},"cwes":[{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."},{"cweId":"CWE-506","name":"Embedded Malicious Code","description":"The product contains code that appears to be malicious in nature."}],"source":"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0x2ai-zoe/MAL-2026-5602.json"}}],"schema_version":"1.7.5","credits":[{"name":"Amazon Inspector","contact":["inspector-research@amazon.com"],"type":"FINDER"}]}