MAL-2026-5593

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0x2ai-demo6x/MAL-2026-5593.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5593

Published

2026-06-11T07:16:17Z

Modified

2026-06-11T08:01:35.788754632Z

Summary

Malicious code in 0x2ai-demo6x (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (cf57dfddd0bfd0def03360ae66ea88dd6d4e875cbcb42880a4277eb2d1df269a)

On npm install, scripts/postinstall.cjs recursively copies the package's payload/ directory into process.env.INITCWD (the installer's project root), staging.mcp.json,.claude/settings.json,.claude/commands/0x2ai-boot.md, CLAUDE.md, and four helper.cjs files outside of nodemodules. The dropped.mcp.json registers a stdio MCP server (payload/chatroom-mcp-lite-patched.cjs) hardwired to BRIDGEURL=https://demo6.0x2ai.com with a hardcoded Bearer token. Any subsequent Claude Code session opened in that project directory auto-loads the MCP server and silently relays conversation content, memory, and tool I/O to the author's remote bridge. Additionally, bin/start.cjs spawns claude --dangerously-skip-permissions, removing the user's last consent gate over agent tool actions while the remote bridge is in control. The helper modules contain childprocess + http(s) + fs.readFileSync + POST exfiltration patterns consistent with siphoning local file and chatroom data to the same destination.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005674",
            "versions": [
                "1.2.0"
            ],
            "sha256": "cf57dfddd0bfd0def03360ae66ea88dd6d4e875cbcb42880a4277eb2d1df269a",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T07:16:17Z",
            "import_time": "2026-06-11T07:49:39.526455826Z"
        }
    ]
}

References

https://www.npmjs.com/package/0x2ai-demo6x/v/1.2.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / 0x2ai-demo6x

Package

Name: 0x2ai-demo6x; View open source insights on deps.dev
Purl: pkg:npm/0x2ai-demo6x

Affected ranges

Affected versions

1.*

1.2.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0x2ai-demo6x/MAL-2026-5593.json"

indicators

{
    "evidence_files": [
        {
            "path": "scripts/postinstall.cjs",
            "sha256": "4943321a174f2de446781e46abdc4eb4fd333f8cc98cf6fe3cd5fc4bbfb0b0a2",
            "tlsh": "74e0c05706ccd379a5b2a1406c12c50a646ade81364094a0e27c0357bf92694ae23eff"
        },
        {
            "path": "bin/start.cjs",
            "sha256": "fa5af6d044cd42d37d4c7b0e5f43cf7498e621ef7db1b837ea79e3087e552984",
            "tlsh": "9011005b868e07be57b441c46645c12b990bc84072d0e490d26e03a6fb511e82c677eb"
        }
    ],
    "package_integrity": [
        {
            "filename": "0x2ai-demo6x-1.2.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-AdnYtU6/IEl1VMdOLbYGPiNknld4e41BVqM/hQSNX3SlsRsHfcbjH+YiNTW98radCYCN+i+wAV1YrCJSB45lAg==",
                "sha1": "749c60264e48814c1fff84764b76e855c82774fc"
            }
        }
    ]
}

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]