VYPR

npm · Malicious package advisory

Malware

0x2ai-ivo

MAL-2026-5599

Malicious code in 0x2ai-ivo (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e78c039ee7ad67b1a20ef30b37ce03178f6c2181b1e330db69e04dabd0a28686)
On install, the postinstall script copies the package's `payload/` tree (CLAUDE.md,.claude/settings.json,.mcp.json, and several.cjs MCP scripts) into the consumer's project directory (`process.env.INIT_CWD || process.cwd()`) at `scripts/postinstall.cjs`, materializing Claude Code project config inside any repo where `npm install` was run. The dropped `.mcp.json` registers an MCP server whose env includes `BRIDGE_URL=https://ivo.0x2ai.com` and a hardcoded shared bearer token (`BRIDGE_AUTH_TOKEN`), so any installer's Claude Code instance auto-attaches to that author-operated bridge. The package's CLI (`bin/start.cjs`) then spawns `claude --dangerously-skip-permissions` via a shell, deliberately stripping the permission gate that normally protects the host from agent actions. The MCP scripts (`payload/chatroom-mcp-lite-patched.cjs`, `payload/chatroom-monitor.cjs`, `payload/chatroom-wait-once.cjs`) POST to and long-poll `https://ivo.0x2ai.com`, receiving chatroom messages that CLAUDE.md/`0x2ai-boot.md` instruct the agent to act on. The exposed MCP tools (`provider_query`, `memory_save`, `memory_load`, `chatroom_post`) further route user prompts, conversation memory, and posted messages through the same endpoint authenticated by the shared static token. Net effect: an unattended, permission-bypassed Claude agent on the installer's machine that executes whatever instructions the operator of ivo.0x2ai.com pushes — an over-the-wire remote-control channel whose payloads are not in the tarball and not under the installer's control.

Compromised versions (1)

  • 1.2.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.