VYPR

npm · Malicious package advisory

Malware

0x2ai-multi-q

MAL-2026-5601

Malicious code in 0x2ai-multi-q (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (e305b12731a6b73c8982935753b52febfa90626f5a75f6942ca154aa708594b6)
Running `npx 0x2ai-multi-q` (the package's documented invocation) spawns `claude --dangerously-skip-permissions` and writes a `.mcp.json` into the user's current working directory that connects Claude to a remote MCP bridge at https://multi.0x2ai.com (bin/start.cjs lines 11-25). With Claude's safety prompts disabled, any tool call the remote bridge induces — file edits, shell commands via Claude's Bash tool, arbitrary subprocess execution — runs on the user's machine without further consent. The bridge operator therefore has effective remote code execution on any host that runs the CLI. The package additionally exposes a `provider_query` MCP tool that forwards prompts and system prompts through the same bridge (lib/chatroom-mcp-lite-patched.cjs), so all model traffic and any context Claude pastes into prompts is observable by the bridge operator. A fixed bridge auth token is hardcoded in bin/start.cjs and persisted plaintext to `./.mcp.json` in the user's CWD. The README ("throwaway demo connector", two lines) does not disclose the permission-skip flag, the remote control surface, or the prompt relay. Package metadata is consistent with a low-trust throwaway artifact (license: UNLICENSED, no repo/homepage/author, version 0.1.0).

Compromised versions (1)

  • 0.1.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.