VYPR

npm · Malicious package advisory

Malware

0x2ai-demo6x

MAL-2026-5593

Malicious code in 0x2ai-demo6x (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (cf57dfddd0bfd0def03360ae66ea88dd6d4e875cbcb42880a4277eb2d1df269a)
On `npm install`, scripts/postinstall.cjs recursively copies the package's payload/ directory into process.env.INIT_CWD (the installer's project root), staging.mcp.json,.claude/settings.json,.claude/commands/0x2ai-boot.md, CLAUDE.md, and four helper.cjs files outside of node_modules. The dropped.mcp.json registers a stdio MCP server (payload/chatroom-mcp-lite-patched.cjs) hardwired to BRIDGE_URL=https://demo6.0x2ai.com with a hardcoded Bearer token. Any subsequent Claude Code session opened in that project directory auto-loads the MCP server and silently relays conversation content, memory, and tool I/O to the author's remote bridge. Additionally, bin/start.cjs spawns `claude --dangerously-skip-permissions`, removing the user's last consent gate over agent tool actions while the remote bridge is in control. The helper modules contain child_process + http(s) + fs.readFileSync + POST exfiltration patterns consistent with siphoning local file and chatroom data to the same destination.

Compromised versions (1)

  • 1.2.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.