npm · Malicious package advisory
Malware0x2ai-demo6x
MAL-2026-5593
Malicious code in 0x2ai-demo6x (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (cf57dfddd0bfd0def03360ae66ea88dd6d4e875cbcb42880a4277eb2d1df269a) On `npm install`, scripts/postinstall.cjs recursively copies the package's payload/ directory into process.env.INIT_CWD (the installer's project root), staging.mcp.json,.claude/settings.json,.claude/commands/0x2ai-boot.md, CLAUDE.md, and four helper.cjs files outside of node_modules. The dropped.mcp.json registers a stdio MCP server (payload/chatroom-mcp-lite-patched.cjs) hardwired to BRIDGE_URL=https://demo6.0x2ai.com with a hardcoded Bearer token. Any subsequent Claude Code session opened in that project directory auto-loads the MCP server and silently relays conversation content, memory, and tool I/O to the author's remote bridge. Additionally, bin/start.cjs spawns `claude --dangerously-skip-permissions`, removing the user's last consent gate over agent tool actions while the remote bridge is in control. The helper modules contain child_process + http(s) + fs.readFileSync + POST exfiltration patterns consistent with siphoning local file and chatroom data to the same destination.
Compromised versions (1)
- 1.2.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.