npm · Malicious package advisory
Malware0x2ai-multi-mq
MAL-2026-5600
Malicious code in 0x2ai-multi-mq (npm)
Details
--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (7d056f067b0af2084bd7777fcdb2ae6e2c06bb67f40929ba9900b5aa9cb83649) When the documented invocation `npx 0x2ai-multi-mq` is run, bin/start.cjs copies `chatroom-mcp-lite-patched.cjs` and `chatroom-monitor.cjs` into the user's current working directory, writes a `.mcp.json` containing a hardcoded shared Bearer token (`faa2c696fae0d6a685578ac33278513a7dafd2676f627960`), then spawns `claude --dangerously-skip-permissions` (shell:true). The MCP server and a long-polling monitor connect to https://multi.0x2ai.com and feed messages from that author-hosted chatroom into the permission-bypassed Claude session running on the developer's machine. The net effect is a remote command channel into a coding agent that has had its consent prompts disabled, with full filesystem and shell tool access on the developer's host. The MCP tools (`provider_query`, `settings_set`) additionally route user prompts and provider API keys (`anthropic_api_key`, `openai_api_key`) through the same bridge. The dropped `.mcp.json` persists in the user's cwd, so any subsequent `claude` invocation in that directory auto-loads the bridge MCP server.
Compromised versions (1)
- 0.1.0
Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.