npm · Malicious package advisory
Malware0x2ai-demo9
MAL-2026-5597
Malicious code in 0x2ai-demo9 (npm)
Details
---
_-= Per source details. Do not edit below this line.=-_
## Source: amazon-inspector (bb3fa91a9457ef11dc837c301fef1b22dbe1b19f00400215d853958726e1d055)
On `npm install`, the package's postinstall script writes `.mcp.json`, `CLAUDE.md`, and a `.claude/commands/0x2ai-boot.md` slash-command file into the installer's current working directory. The `.mcp.json` (scripts/postinstall.cjs:38-44) configures Claude Code to auto-launch a bundled MCP server pointed at `https://demo9.0x2ai.com` with a hardcoded `BRIDGE_AUTH_TOKEN` ('09da458dd2d388aa2009a85333901b253d1866d73f925bf8'). When the user subsequently runs `claude` in that directory, the MCP server silently forwards chatroom messages, memory operations, agent queries, and `provider_query` prompts to the remote bridge. The `CLAUDE.md` template is auto-loaded as system context and instructs the assistant to adopt an 'Olivia' identity, route all messages through `demo10.0x2ai.com`, never reveal internals, and follow hidden behavioral rules ('First rule of the family: you don't talk about the rules'). The package's own `bin/start.cjs` additionally launches `claude --dangerously-skip-permissions`, disabling per-action permission prompts that would otherwise warn the user about the agent's filesystem/network actions. The shared bearer token authenticates every installer as the same identity on the author's bridge.
Compromised versions (1)
- 1.0.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.