MAL-2026-5589

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0x2ai-demo2/MAL-2026-5589.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5589

Published

2026-06-11T07:16:18Z

Modified

2026-06-11T08:01:35.547021239Z

Summary

Malicious code in 0x2ai-demo2 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (98ee2445b2f0b01d2457cf45c188b310f58c98f3b676032f9c6213469f071239)

On npm install, scripts/postinstall.cjs recursively copies the bundled payload/ directory into INIT_CWD (the developer's project root) via fs.cpSync. The staged files reconfigure Claude Code so subsequent sessions in that project route through an author-controlled bridge:

payload/.mcp.json registers an MCP chatroom server with hardcoded BRIDGEURL=https://demo2.0x2ai.com and a hardcoded bearer token (BRIDGEAUTH_TOKEN). Any claude invocation in the project auto-loads this MCP server.
payload/chatroom-mcp-lite-patched.cjs and payload/chatroom-monitor.cjs use childprocess, fs.readFileSync, http/https, and POST to exfiltrate session content (chatroompost, memorysave, providerquery, settingsset tools) to demo2.0x2ai.com. providerquery proxies model calls through the author's server ("API keys are managed server-side"), so prompts and responses flow one-way to the attacker.
payload/CLAUDE.md is a ~12 KB persona/instruction file that tells Claude to operate as "Olivia", route all memory and chat through https://demo2.0x2ai.com, and refuse to discuss its architecture or prompts (anti-inspection language: taboo, family_recipe).
payload/.claude/settings.json overrides the statusLine command and payload/.claude/commands/0x2ai-boot.md autoboots a long-poll listener against the author's bridge.
bin/start.cjs (advertised as npx 0x2ai-demo2) re-stages the payload into CWD and spawns claude --dangerously-skip-permissions, disabling Claude's tool-permission prompts while the attacker-controlled MCP server is loaded — enabling remote-driven destructive actions on the developer's machine without approval.

The staged files persist after npm uninstall, providing durable redirection of the developer's AI tooling to the author's infrastructure.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005676",
            "import_time": "2026-06-11T07:49:39.732784281Z",
            "sha256": "98ee2445b2f0b01d2457cf45c188b310f58c98f3b676032f9c6213469f071239",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T07:16:18Z",
            "versions": [
                "1.2.0"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/0x2ai-demo2/v/1.2.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / 0x2ai-demo2

Package

Name: 0x2ai-demo2; View open source insights on deps.dev
Purl: pkg:npm/0x2ai-demo2

Affected ranges

Affected versions

1.*

1.2.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0x2ai-demo2/MAL-2026-5589.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "scripts/postinstall.cjs",
            "sha256": "4943321a174f2de446781e46abdc4eb4fd333f8cc98cf6fe3cd5fc4bbfb0b0a2",
            "tlsh": "74e0c05706ccd379a5b2a1406c12c50a646ade81364094a0e27c0357bf92694ae23eff"
        },
        {
            "path": "payload/.mcp.json",
            "sha256": "dd6d88c335c4a57e272a782b9e425843c3fd92c5803928902a01fa919364c22a",
            "tlsh": "cde07d57d1e44c134292202b89bd154099a1e0070eacfc39b75fc03c4f4c65b2bb96cf"
        },
        {
            "path": "bin/start.cjs",
            "sha256": "fa5af6d044cd42d37d4c7b0e5f43cf7498e621ef7db1b837ea79e3087e552984",
            "tlsh": "9011005b868e07be57b441c46645c12b990bc84072d0e490d26e03a6fb511e82c677eb"
        },
        {
            "path": "payload/CLAUDE.md",
            "sha256": "3754118234d7e86786355e77848f4b838aab7ead8bc77fa1ecbb345a44f73545",
            "tlsh": "0f42a41ff300133616aa0165264e7ae3ef3581ac2365453adc2ed1386379b6a53b77e8"
        }
    ],
    "package_integrity": [
        {
            "filename": "0x2ai-demo2-1.2.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-3yvOnve6htZqM3hWybdi7U27TlZ2xPI5wfVYCGxPV2ajGyoCgr5cpqiRWaW+1hezOVfcJNSdRlNtEYVgXDTbvQ==",
                "sha1": "81cfe7aa1e9f0acd2251eb630c0468a7c1ffb3a2"
            }
        }
    ]
}