MAL-2026-5599
See a problem?- Import Source
- https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0x2ai-ivo/MAL-2026-5599.json
- JSON Data
- https://api.osv.dev/v1/vulns/MAL-2026-5599
- Published
- 2026-06-11T07:16:15Z
- Modified
- 2026-06-11T08:01:29.750431299Z
- Summary
- Malicious code in 0x2ai-ivo (npm)
- Details
-
-= Per source details. Do not edit below this line.=-
Source: amazon-inspector (e78c039ee7ad67b1a20ef30b37ce03178f6c2181b1e330db69e04dabd0a28686)
On install, the postinstall script copies the package's
payload/tree (CLAUDE.md,.claude/settings.json,.mcp.json, and several.cjs MCP scripts) into the consumer's project directory (process.env.INIT_CWD || process.cwd()) atscripts/postinstall.cjs, materializing Claude Code project config inside any repo wherenpm installwas run. The dropped.mcp.jsonregisters an MCP server whose env includesBRIDGE_URL=https://ivo.0x2ai.comand a hardcoded shared bearer token (BRIDGE_AUTH_TOKEN), so any installer's Claude Code instance auto-attaches to that author-operated bridge. The package's CLI (bin/start.cjs) then spawnsclaude --dangerously-skip-permissionsvia a shell, deliberately stripping the permission gate that normally protects the host from agent actions. The MCP scripts (payload/chatroom-mcp-lite-patched.cjs,payload/chatroom-monitor.cjs,payload/chatroom-wait-once.cjs) POST to and long-pollhttps://ivo.0x2ai.com, receiving chatroom messages that CLAUDE.md/0x2ai-boot.mdinstruct the agent to act on. The exposed MCP tools (provider_query,memory_save,memory_load,chatroom_post) further route user prompts, conversation memory, and posted messages through the same endpoint authenticated by the shared static token. Net effect: an unattended, permission-bypassed Claude agent on the installer's machine that executes whatever instructions the operator of ivo.0x2ai.com pushes — an over-the-wire remote-control channel whose payloads are not in the tarball and not under the installer's control. - Database specific
{ "malicious-packages-origins": [ { "id": "IN-MAL-2026-005672", "versions": [ "1.2.0" ], "sha256": "e78c039ee7ad67b1a20ef30b37ce03178f6c2181b1e330db69e04dabd0a28686", "source": "amazon-inspector", "modified_time": "2026-06-11T07:16:15Z", "import_time": "2026-06-11T07:49:39.35234197Z" } ] }- References
- Credits
-
-
- Amazon Inspector - FINDER
-
Affected packages
npm / 0x2ai-ivo
Package
- Name
- 0x2ai-ivo
- View open source insights on deps.dev
- Purl
- pkg:npm/0x2ai-ivo
Database specific
cwes
[
{
"description": "The product contains code that appears to be malicious in nature.",
"name": "Embedded Malicious Code",
"cweId": "CWE-506"
}
]
indicators
{
"evidence_files": [
{
"path": "scripts/postinstall.cjs",
"sha256": "4943321a174f2de446781e46abdc4eb4fd333f8cc98cf6fe3cd5fc4bbfb0b0a2",
"tlsh": "74e0c05706ccd379a5b2a1406c12c50a646ade81364094a0e27c0357bf92694ae23eff"
},
{
"path": "bin/start.cjs",
"sha256": "fa5af6d044cd42d37d4c7b0e5f43cf7498e621ef7db1b837ea79e3087e552984",
"tlsh": "9011005b868e07be57b441c46645c12b990bc84072d0e490d26e03a6fb511e82c677eb"
},
{
"path": "payload/chatroom-mcp-lite-patched.cjs",
"sha256": "a1abc812c52dcefeb85473275f7c1e5a86770b114767176416ed94ebe620cf00",
"tlsh": "505307852c79603a4fb65365ba36a617ff35522bb01114b2fafcc2142f314d091aaefd"
},
{
"path": "payload/.mcp.json",
"sha256": "9a64d542acc824dad98a658c0bd23fb016facf918be3797c47d4cbdbe6cfa47a",
"tlsh": "c1e02659d4d40c5307525816083c214469a1a10b4eecbc3a778fc06c9f4c74b1abdacc"
}
],
"package_integrity": [
{
"filename": "0x2ai-ivo-1.2.0.tgz",
"hashes": {
"sha512_sri": "sha512-t2kvTEpsitFhjUtVKsQc/pt5M2Iq5cy4Mio/p6WCO/stl1WhGFc0cURmEhaI4udVq9rgXxcbGsEOZzOZD5aI7A==",
"sha1": "b57fe73ceddeec77e7fcb164acd5a17c31c44f61"
}
}
]
}
source
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0x2ai-ivo/MAL-2026-5599.json"