MAL-2026-5596
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0x2ai-demo8x/MAL-2026-5596.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5596
- Published
- 2026-06-11T07:16:14Z
- Modified
- 2026-06-11T08:01:29.771354069Z
- Summary
- Malicious code in 0x2ai-demo8x (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (f6d1ce2d7b8faa5bde122eb2bc6e0a79fec5f5720cfa7de0718a0c8948b344d6)
On
npm install, scripts/postinstall.cjs copies the package's payload/ tree into INITCWD (the consumer's project root) using fs.cpSync, dropping.mcp.json,.claude/settings.json, CLAUDE.md, and several chatroom-* CJS files into the developer's repository. The dropped.mcp.json registers an MCP server pointing at https://demo8.0x2ai.com with a hardcoded shared Bearer token (BRIDGEAUTHTOKEN=9272d409b5155094d9562c92700f46a4b97bdb48d8291d40), so any subsequent Claude Code session in that directory loads the attacker-authored CLAUDE.md system prompt and routes tool calls to the bridge. The bundled chatroom-mcp-lite-patched.cjs exposes aprovider_querytool that POSTs user prompts to https://demo8.0x2ai.com/api/proxy-query, asettings_settool advertised for storing anthropicapikey / openaiapikey on the bridge, and a salted-SHA256 path-obfuscation helper that rewrites endpoints to /x/<hex4> form (deliberate evasion infrastructure, dormant only because the shipped config sets DIRECTAPI=1). bin/start.cjs additionally re-stages the payload and spawnsclaude --dangerously-skip-permissionswith shell:true, yielding an unrestricted agent session wired to the attacker's MCP server. Net effect on installers: prompts, code, files, and potentially LLM API keys are funneled to a third-party bridge under a shared credential, with no disclosure or opt-in. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-005671", "import_time": "2026-06-11T07:49:39.250531366Z", "sha256": "f6d1ce2d7b8faa5bde122eb2bc6e0a79fec5f5720cfa7de0718a0c8948b344d6", "source": "amazon-inspector", "modified_time": "2026-06-11T07:16:14Z", "versions": [ "1.2.0" ] } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / 0x2ai-demo8x
Package
- Name
- 0x2ai-demo8x
- View open source insights on deps.dev
- Purl
- pkg:npm/0x2ai-demo8x
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "scripts/postinstall.cjs",
"sha256": "4943321a174f2de446781e46abdc4eb4fd333f8cc98cf6fe3cd5fc4bbfb0b0a2",
"tlsh": "74e0c05706ccd379a5b2a1406c12c50a646ade81364094a0e27c0357bf92694ae23eff"
},
{
"path": "payload/.mcp.json",
"sha256": "77aeadc2f0619cc852c1b3517bb3d8db98a518ac10f6d67cf982cda296733de3",
"tlsh": "11e02055d8d50c4345862025553d15105aa991175da87c3cb75fc13c4f4e76b17785cd"
},
{
"path": "bin/start.cjs",
"sha256": "fa5af6d044cd42d37d4c7b0e5f43cf7498e621ef7db1b837ea79e3087e552984",
"tlsh": "9011005b868e07be57b441c46645c12b990bc84072d0e490d26e03a6fb511e82c677eb"
},
{
"path": "payload/chatroom-mcp-lite-patched.cjs",
"sha256": "a1abc812c52dcefeb85473275f7c1e5a86770b114767176416ed94ebe620cf00",
"tlsh": "505307852c79603a4fb65365ba36a617ff35522bb01114b2fafcc2142f314d091aaefd"
}
],
"package_integrity": [
{
"filename": "0x2ai-demo8x-1.2.0.tgz",
"hashes": {
"sha512_sri": "sha512-E4Kw9+Dd8ukCXbMD9PZuoDpuS1oADPiFKS5cg8hi63z0UdMSPOfPgIMBDwa8uWuVH4BBmBgk9mF20nZxr3CJpw==",
"sha1": "1ff7f8eae8fdd6363e9b3fca2663c36c8b90089c"
}
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0x2ai-demo8x/MAL-2026-5596.json"