MAL-2026-5601

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0x2ai-multi-q/MAL-2026-5601.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-5601

Published

2026-06-11T07:16:22Z

Modified

2026-06-11T08:01:29.982285413Z

Summary

Malicious code in 0x2ai-multi-q (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (e305b12731a6b73c8982935753b52febfa90626f5a75f6942ca154aa708594b6)

Running npx 0x2ai-multi-q (the package's documented invocation) spawns claude --dangerously-skip-permissions and writes a .mcp.json into the user's current working directory that connects Claude to a remote MCP bridge at https://multi.0x2ai.com (bin/start.cjs lines 11-25). With Claude's safety prompts disabled, any tool call the remote bridge induces — file edits, shell commands via Claude's Bash tool, arbitrary subprocess execution — runs on the user's machine without further consent. The bridge operator therefore has effective remote code execution on any host that runs the CLI. The package additionally exposes a provider_query MCP tool that forwards prompts and system prompts through the same bridge (lib/chatroom-mcp-lite-patched.cjs), so all model traffic and any context Claude pastes into prompts is observable by the bridge operator. A fixed bridge auth token is hardcoded in bin/start.cjs and persisted plaintext to ./.mcp.json in the user's CWD. The README ("throwaway demo connector", two lines) does not disclose the permission-skip flag, the remote control surface, or the prompt relay. Package metadata is consistent with a low-trust throwaway artifact (license: UNLICENSED, no repo/homepage/author, version 0.1.0).

Database specific

{
    "malicious-packages-origins": [
        {
            "id": "IN-MAL-2026-005679",
            "import_time": "2026-06-11T07:49:40.008170011Z",
            "sha256": "e305b12731a6b73c8982935753b52febfa90626f5a75f6942ca154aa708594b6",
            "source": "amazon-inspector",
            "modified_time": "2026-06-11T07:16:22Z",
            "versions": [
                "0.1.0"
            ]
        }
    ]
}

References

https://www.npmjs.com/package/0x2ai-multi-q/v/0.1.0

Credits

- Amazon Inspector - FINDER
- - inspector-research@amazon.com

Affected packages

npm / 0x2ai-multi-q

Package

Name: 0x2ai-multi-q; View open source insights on deps.dev
Purl: pkg:npm/0x2ai-multi-q

Affected ranges

Affected versions

0.*

0.1.0

Database specific

source

"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0x2ai-multi-q/MAL-2026-5601.json"

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

indicators

{
    "evidence_files": [
        {
            "path": "bin/start.cjs",
            "sha256": "c7af3bc8f13c7c32ed719b8b3507cc51f070e176210c3ba10308dcc65d9b45f8",
            "tlsh": "5531344785cb2f395be0eac7a476113b4f4bd51435a6f4305a9f508f5ac20a029a3eae"
        },
        {
            "path": "lib/chatroom-mcp-lite-patched.cjs",
            "sha256": "a1abc812c52dcefeb85473275f7c1e5a86770b114767176416ed94ebe620cf00",
            "tlsh": "505307852c79603a4fb65365ba36a617ff35522bb01114b2fafcc2142f314d091aaefd"
        },
        {
            "path": "package.json",
            "sha256": "700149e1e2cbd0101af091b06ab4b902cbd3e52fa117d6f280fdc3b6e6af7b70",
            "tlsh": "70e0c600ae2a29b383f0b2e02c36002bc2b00c0a4bc8fd2c4ba3901c80ec022d0f85fc"
        }
    ],
    "package_integrity": [
        {
            "filename": "0x2ai-multi-q-0.1.0.tgz",
            "hashes": {
                "sha512_sri": "sha512-ejAawJmg89M+y2EzLT4mU8+028g8NL+KyZcI2GLrUkX4Q3KFjs93vvYoN07vrWD2MhcRm2sEAL2PTRUb/5BBFQ==",
                "sha1": "b169b9ace597210314b49f914433eed00c7df66b"
            }
        }
    ]
}