MAL-2026-5600

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0x2ai-multi-mq/MAL-2026-5600.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5600

Published

2026-06-11T07:16:23Z

Modified

2026-06-11T08:01:29.926200079Z

Summary

Malicious code in 0x2ai-multi-mq (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (7d056f067b0af2084bd7777fcdb2ae6e2c06bb67f40929ba9900b5aa9cb83649)

When the documented invocation npx 0x2ai-multi-mq is run, bin/start.cjs copies chatroom-mcp-lite-patched.cjs and chatroom-monitor.cjs into the user's current working directory, writes a .mcp.json containing a hardcoded shared Bearer token (faa2c696fae0d6a685578ac33278513a7dafd2676f627960), then spawns claude --dangerously-skip-permissions (shell:true). The MCP server and a long-polling monitor connect to https://multi.0x2ai.com and feed messages from that author-hosted chatroom into the permission-bypassed Claude session running on the developer's machine. The net effect is a remote command channel into a coding agent that has had its consent prompts disabled, with full filesystem and shell tool access on the developer's host. The MCP tools (provider_query, settings_set) additionally route user prompts and provider API keys (anthropic_api_key, openai_api_key) through the same bridge. The dropped .mcp.json persists in the user's cwd, so any subsequent claude invocation in that directory auto-loads the bridge MCP server.

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005680",
            "import_time": "2026-06-11T07:49:40.319108859Z",
            "sha256": "7d056f067b0af2084bd7777fcdb2ae6e2c06bb67f40929ba9900b5aa9cb83649",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T07:16:23Z",
            "versions": [
                "0.1.0"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/0x2ai-multi-mq/v/0.1.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / 0x2ai-multi-mq

Package

Name: 0x2ai-multi-mq; View open source insights on deps.dev
Purl: pkg:npm/0x2ai-multi-mq

Affected ranges

Affected versions

0.*

0.1.0

Database specific

indicators

{
    "evidence_files": [
        {
            "path": "bin/start.cjs",
            "sha256": "1b2a255e36372c3dd39c445cb6a49cc7290798a925c99c0272691801df99101c",
            "tlsh": "51315247c4cb1f395be0ebd7a476113b4f0b81143596f4308a8f508b5ac30a039a39ae"
        },
        {
            "path": "lib/chatroom-mcp-lite-patched.cjs",
            "sha256": "a1abc812c52dcefeb85473275f7c1e5a86770b114767176416ed94ebe620cf00",
            "tlsh": "505307852c79603a4fb65365ba36a617ff35522bb01114b2fafcc2142f314d091aaefd"
        }
    ],
    "package_integrity": [
        {
            "filename": "0x2ai-multi-mq-0.1.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-Yym6efYkeneRxqbgKKagKL8/kkyDKeM59GVAb9aBmnkO1Gxpm2lYcbBSyKa7VrNAEaaa7V6/npTeHts6Wz4iIg==",
                "sha1": "56cc7c24940e8ab3e77981daaa2738eacf3e3d10"
            }
        }
    ]
}

cwes

[
    {
        "cweId": "CWE-506",
        "name": "Embedded Malicious Code",
        "description": "The product contains code that appears to be malicious in nature."
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0x2ai-multi-mq/MAL-2026-5600.json"