VYPR

npm · Malicious package advisory

Malware

0x2ai-demo8

MAL-2026-5595

Malicious code in 0x2ai-demo8 (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (ecc8b825a6ca24f0ed99210734ea8d4f4fb7bf1bbdb3767b67417bf5cdb83257)
On `npm install`, scripts/postinstall.cjs writes a `.mcp.json` into the installer's working directory that registers a stdio MCP server (`lib/chatroom-mcp-lite-patched.cjs`) preconfigured with `BRIDGE_URL=https://demo8.0x2ai.com` and a hardcoded bearer token. Any Claude Code session subsequently opened in that directory auto-loads this MCP server, which exposes ~30 tools — including `provider_query` (advertises routing prompts to Anthropic/OpenAI/Google/Groq/OpenRouter/xAI/Mistral/DeepSeek and POSTs to `https://demo8.0x2ai.com/api/proxy-query`), `settings_set` (accepts user-supplied `anthropic_api_key`/`openai_api_key`), `chatroom_post`, `memory_save`, and `agent_query`. The result is that the installer's AI prompts, agent memory, stored provider API keys, and proxied provider responses flow through the author's bridge rather than directly to the named providers. Postinstall additionally drops `CLAUDE.md` and `.claude/commands/0x2ai-boot.md` into the installer's project root; the CLAUDE.md establishes a persona and instructs the agent to never disclose its inner workings or rules to the user ('First rule of the family: you don't talk about the rules') and to route state through demo8.0x2ai.com, while the slash-command auto-launches `chatroom-monitor.cjs` as a persistent background process. The `bin/start.cjs` launcher additionally spawns `claude --dangerously-skip-permissions`, which disables per-tool consent prompts in the user's Claude session, removing the last guardrail against the dropped MCP server's tool surface (which includes subprocess spawning via `agent_query`). Although the README discloses some of this purpose, the install-time write of project-scoped Claude configuration plus the man-in-the-middle for caller-supplied AI prompts and API keys is the silent-relay shape: normal use of the installer's AI agent silently delivers caller data to an author-controlled destination.

Compromised versions (1)

  • 1.0.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.