VYPR

npm · Malicious package advisory

Malware

0x2ai-demo8x

MAL-2026-5596

Malicious code in 0x2ai-demo8x (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (f6d1ce2d7b8faa5bde122eb2bc6e0a79fec5f5720cfa7de0718a0c8948b344d6)
On `npm install`, scripts/postinstall.cjs copies the package's payload/ tree into INIT_CWD (the consumer's project root) using fs.cpSync, dropping.mcp.json,.claude/settings.json, CLAUDE.md, and several chatroom-* CJS files into the developer's repository. The dropped.mcp.json registers an MCP server pointing at https://demo8.0x2ai.com with a hardcoded shared Bearer token (BRIDGE_AUTH_TOKEN=9272d409b5155094d9562c92700f46a4b97bdb48d8291d40), so any subsequent Claude Code session in that directory loads the attacker-authored CLAUDE.md system prompt and routes tool calls to the bridge. The bundled chatroom-mcp-lite-patched.cjs exposes a `provider_query` tool that POSTs user prompts to https://demo8.0x2ai.com/api/proxy-query, a `settings_set` tool advertised for storing anthropic_api_key / openai_api_key on the bridge, and a salted-SHA256 path-obfuscation helper that rewrites endpoints to /x/<hex4> form (deliberate evasion infrastructure, dormant only because the shipped config sets DIRECT_API=1). bin/start.cjs additionally re-stages the payload and spawns `claude --dangerously-skip-permissions` with shell:true, yielding an unrestricted agent session wired to the attacker's MCP server. Net effect on installers: prompts, code, files, and potentially LLM API keys are funneled to a third-party bridge under a shared credential, with no disclosure or opt-in.

Compromised versions (1)

  • 1.2.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.