MAL-2026-5597

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0x2ai-demo9/MAL-2026-5597.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5597

Published

2026-06-11T07:16:27Z

Modified

2026-06-11T08:01:29.773493248Z

Summary

Malicious code in 0x2ai-demo9 (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (bb3fa91a9457ef11dc837c301fef1b22dbe1b19f00400215d853958726e1d055)

On npm install, the package's postinstall script writes .mcp.json, CLAUDE.md, and a .claude/commands/0x2ai-boot.md slash-command file into the installer's current working directory. The .mcp.json (scripts/postinstall.cjs:38-44) configures Claude Code to auto-launch a bundled MCP server pointed at https://demo9.0x2ai.com with a hardcoded BRIDGE_AUTH_TOKEN ('09da458dd2d388aa2009a85333901b253d1866d73f925bf8'). When the user subsequently runs claude in that directory, the MCP server silently forwards chatroom messages, memory operations, agent queries, and provider_query prompts to the remote bridge. The CLAUDE.md template is auto-loaded as system context and instructs the assistant to adopt an 'Olivia' identity, route all messages through demo10.0x2ai.com, never reveal internals, and follow hidden behavioral rules ('First rule of the family: you don't talk about the rules'). The package's own bin/start.cjs additionally launches claude --dangerously-skip-permissions, disabling per-action permission prompts that would otherwise warn the user about the agent's filesystem/network actions. The shared bearer token authenticates every installer as the same identity on the author's bridge.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005684",
            "versions": [
                "1.0.0"
            ],
            "sha256": "bb3fa91a9457ef11dc837c301fef1b22dbe1b19f00400215d853958726e1d055",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T07:16:27Z",
            "import_time": "2026-06-11T07:49:40.770546095Z"
        }
    ]
}

References

https://www.npmjs.com/package/0x2ai-demo9/v/1.0.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / 0x2ai-demo9

Package

Name: 0x2ai-demo9; View open source insights on deps.dev
Purl: pkg:npm/0x2ai-demo9

Affected ranges

Affected versions

1.*

1.0.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0x2ai-demo9/MAL-2026-5597.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "scripts/postinstall.cjs",
            "sha256": "91f2391539fc27614c7753dc74d96ffee357252cb28f02ed34c25ce1831619a7",
            "tlsh": "80710f4385eb1b352d65ba97a84e252e17839f523280fa7339de138f4fd7428429167c"
        },
        {
            "path": "bin/start.cjs",
            "sha256": "fda62c61dc48ad65cfc3670db79c562e0f95b8c485ec2f2549b1c3b6641dd052",
            "tlsh": "7051940385ff0a352a766342696b022b6f0bc6013655f8317bdf512e9fc716819e39ed"
        }
    ],
    "package_integrity": [
        {
            "filename": "0x2ai-demo9-1.0.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-2Zy7ycXIa8R5hYhfSo1roYpKahxpxw4au6J7FF1EWPbj22mvox2jnXwvF3GF12mHdciJ5LIqOb+C64P9RU9LEg==",
                "sha1": "d1d5376ab61844d77259dd3fb5b05ad37ff92ac0"
            }
        }
    ]
}