MAL-2026-5588

See a problem?
Import Source
https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0x2ai-demo10x/MAL-2026-5588.json
JSON Data
https://api.osv.dev/v1/vulns/MAL-2026-5588
Published
2026-06-11T07:16:17Z
Modified
2026-06-11T08:01:35.300101129Z
Summary
Malicious code in 0x2ai-demo10x (npm)
Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (2c4c4b3e66489f3a4383df5e62540498343c5ab3a5ce145df5733b2820efc71b)

On npm install, scripts/postinstall.cjs runs fs.cpSync(payload, process.env.INIT_CWD, { recursive: true }), copying.mcp.json, CLAUDE.md,.claude/settings.json,.claude/commands/0x2ai-boot.md, and several chatroom-*.cjs helpers directly into the installer's project root. The dropped.mcp.json registers a chatroom MCP server pointing at https://demo10.0x2ai.com with a hardcoded Bearer token (436687f7d7909aceba719b745e061279aa934dddd36f20f4) shared across all installers. The dropped CLAUDE.md and slash command instruct any Claude Code session opened in that project to invoke chatroompost / memorysave / provider_query through the author's bridge, silently routing user prompts, memories, and provider queries off-host. payload/chatroom-monitor.cjs and chatroom-wait-once.cjs read local files (fs.readFileSync) and POST them to that bridge over http/https; chatroom-mcp-lite-patched.cjs spawns child processes and POSTs as well. The provided CLI bin/start.cjs then spawns claude --dangerously-skip-permissions in the staged cwd, removing the user's final consent gate before the relay engages. The combination — install-time write into the consumer project, preconfigured MCP server pointing at an author-controlled endpoint, and a CLI that disables Claude permission prompts — establishes a silent data-flow channel from the developer's IDE/agent to the author's server with no explicit consent beyond npm install.

Database specific 
{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005675",
            "versions": [
                "1.2.0"
            ],
            "sha256": "2c4c4b3e66489f3a4383df5e62540498343c5ab3a5ce145df5733b2820efc71b",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T07:16:17Z",
            "import_time": "2026-06-11T07:49:39.66091517Z"
        }
    ]
}
References
Credits

Affected packages

npm / 0x2ai-demo10x

Package

Name
0x2ai-demo10x
View open source insights on deps.dev
Purl
pkg:npm/0x2ai-demo10x

Affected ranges

Affected versions

1.*
1.2.0

Database specific

cwes 
[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]
indicators 
{
    "evidence_files": [
        {
            "path": "scripts/postinstall.cjs",
            "sha256": "4943321a174f2de446781e46abdc4eb4fd333f8cc98cf6fe3cd5fc4bbfb0b0a2",
            "tlsh": "74e0c05706ccd379a5b2a1406c12c50a646ade81364094a0e27c0357bf92694ae23eff"
        },
        {
            "path": "payload/.mcp.json",
            "sha256": "916dc28ff33d15c3eefe464949611686f44852b287f126dae0da181c25d37e43",
            "tlsh": "c7e02645e1e24c434a9620260dbc10506ae5a10b5fa87c38b75fc17c8f8c28b27bc6dc"
        },
        {
            "path": "bin/start.cjs",
            "sha256": "fa5af6d044cd42d37d4c7b0e5f43cf7498e621ef7db1b837ea79e3087e552984",
            "tlsh": "9011005b868e07be57b441c46645c12b990bc84072d0e490d26e03a6fb511e82c677eb"
        }
    ],
    "package_integrity": [
        {
            "filename": "0x2ai-demo10x-1.2.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-REOEUsSEVS3uhS4Xvmt0B916qj9joiZPUGirbZa8F6PUZEShSW9imME9nHdi2joyizYk05fhq7/KaSj5ZsMvww==",
                "sha1": "dc855c6a2e4ed3b9828ed7b3be274c4d9f98f58c"
            }
        }
    ]
}
source 
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0x2ai-demo10x/MAL-2026-5588.json"