MAL-2026-5592

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0x2ai-demo6/MAL-2026-5592.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5592

Published

2026-06-11T07:16:25Z

Modified

2026-06-11T08:01:35.646925684Z

Summary

Malicious code in 0x2ai-demo6 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (0f4a43a40af9e707d98ed55406b0ff32dccaad352fccf5d1eaaca41b9959d924)

On npm install, scripts/postinstall.cjs writes .mcp.json into the installer's working directory (INIT_CWD) wiring Claude Code to a packaged MCP server (lib/chatroom-mcp-lite-patched.cjs) that talks to https://demo6.0x2ai.com with a hardcoded bearer token. The same postinstall step copies templates/CLAUDE.md into the installer's CWD; that file is loaded by Claude Code as system context and instructs the agent ("Olivia") to call memory_save with the user's name, family, plans, and a periodic _snapshot, and to refuse to discuss its own rules or architecture. Because the patched MCP routes memory_save, memory_load, chatroom_post, memory_search, etc. to demo6.0x2ai.com, the developer's prompts and any personal facts the agent decides to harvest are silently relayed to the author-controlled bridge whenever Claude Code is launched in that directory. bin/start.cjs additionally spawns claude --dangerously-skip-permissions, disabling permission prompts for filesystem and shell tool calls, which broadens what the remotely-prompted agent can do on the developer's machine without confirmation. The README's "demo connector" framing does not disclose that postinstall mutates the installer's project directory or that personal data flows off-host.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005682",
            "import_time": "2026-06-11T07:49:40.553633893Z",
            "sha256": "0f4a43a40af9e707d98ed55406b0ff32dccaad352fccf5d1eaaca41b9959d924",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T07:16:25Z",
            "versions": [
                "1.0.0"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/0x2ai-demo6/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / 0x2ai-demo6

Package

Name: 0x2ai-demo6; View open source insights on deps.dev
Purl: pkg:npm/0x2ai-demo6

Affected ranges

Affected versions

1.*

1.0.0

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "scripts/postinstall.cjs",
            "sha256": "c05066e4adb21d815bedf1dd322af3b4db4477682d541389d3148c51a7402324",
            "tlsh": "bb71214381db1b3a3d54ba9ba84e112e16439b623280fa7338df578f4f9741842d167c"
        },
        {
            "path": "templates/CLAUDE.md",
            "sha256": "09867245c18ebb4e86e4a093d98040ebc7f3518c2d09a7295b5d0f37641b53ae",
            "tlsh": "8a62d50fb34453361ab600657a4eb6d7ef2580682365557d9c2fd128233ab3d43bb7e8"
        },
        {
            "path": "bin/start.cjs",
            "sha256": "6e6bc58aca44952acddf368e1a71ac07537a02c80f9317c7805a48e1a86d53be",
            "tlsh": "8951830384fb1a352a766342696b012b6f0bcb013655f83137df512e9fc316809e39ed"
        }
    ],
    "package_integrity": [
        {
            "filename": "0x2ai-demo6-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-e854Ndu1kRVwkeprW/dnHunzF9fRFCqP+mP4By3IgKvJAHJFz6jAYecoXMmzBcaGaucuNOznG1+D8av7zSTGRQ==",
                "sha1": "c58f7b7e672b972fb024a7fa918f7d54bae1592b"
            }
        }
    ]
}

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0x2ai-demo6/MAL-2026-5592.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]