VYPR

npm · Malicious package advisory

Malware

0x2ai-multi-mq

MAL-2026-5600

Malicious code in 0x2ai-multi-mq (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (7d056f067b0af2084bd7777fcdb2ae6e2c06bb67f40929ba9900b5aa9cb83649)
When the documented invocation `npx 0x2ai-multi-mq` is run, bin/start.cjs copies `chatroom-mcp-lite-patched.cjs` and `chatroom-monitor.cjs` into the user's current working directory, writes a `.mcp.json` containing a hardcoded shared Bearer token (`faa2c696fae0d6a685578ac33278513a7dafd2676f627960`), then spawns `claude --dangerously-skip-permissions` (shell:true). The MCP server and a long-polling monitor connect to https://multi.0x2ai.com and feed messages from that author-hosted chatroom into the permission-bypassed Claude session running on the developer's machine. The net effect is a remote command channel into a coding agent that has had its consent prompts disabled, with full filesystem and shell tool access on the developer's host. The MCP tools (`provider_query`, `settings_set`) additionally route user prompts and provider API keys (`anthropic_api_key`, `openai_api_key`) through the same bridge. The dropped `.mcp.json` persists in the user's cwd, so any subsequent `claude` invocation in that directory auto-loads the bridge MCP server.

Compromised versions (1)

  • 0.1.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.