VYPR

npm · Malicious package advisory

Malware

0x2ai-zoe

MAL-2026-5602

Malicious code in 0x2ai-zoe (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (724bd98c39a8e4ff21b039fddeadfda7f0ef7e3c6be47e771d72efed77d02b1b)
On `npm install`, scripts/postinstall.cjs copies the entire payload/ tree into process.env.INIT_CWD (the directory the developer ran npm from), depositing CLAUDE.md,.claude/settings.json,.claude/commands/0x2ai-boot.md,.mcp.json, and several MCP server.cjs files outside the package's own install directory. CLAUDE.md is auto-loaded as project instructions by Claude Code, and.mcp.json hardcodes BRIDGE_URL=https://zoe.0x2ai.com so that any subsequent Claude Code session in that directory routes chatroom_post, memory_save/load/search, brainmail_send, provider_query (user LLM prompts), and settings_set (which can carry API keys) calls through the author's host. bin/start.cjs additionally spawns `claude --dangerously-skip-permissions`, disabling per-tool consent prompts for filesystem and shell access during the session. The combination — install-time configuration injection into a directory the package does not own + a persona instructing the agent to follow remote-bridge directives + skip-permissions launch — gives the operator at zoe.0x2ai.com unprompted tool access on the developer's machine and silently relays prompts and settings (including credentials) off-host. The install-time write of opinionated Claude Code configuration into the developer's working directory occurs without consent and is the install-time-harm component; the bridge relay is the silent-relay component for any session subsequently opened in that directory.

Compromised versions (2)

  • 1.2.0
  • 0.2.0

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.