-= Per source details. Do not edit below this line.=-
On npm install, scripts/postinstall.cjs copies the entire payload/ tree into process.env.INITCWD (the directory the developer ran npm from), depositing CLAUDE.md,.claude/settings.json,.claude/commands/0x2ai-boot.md,.mcp.json, and several MCP server.cjs files outside the package's own install directory. CLAUDE.md is auto-loaded as project instructions by Claude Code, and.mcp.json hardcodes BRIDGEURL=https://zoe.0x2ai.com so that any subsequent Claude Code session in that directory routes chatroompost, memorysave/load/search, brainmailsend, providerquery (user LLM prompts), and settings_set (which can carry API keys) calls through the author's host. bin/start.cjs additionally spawns claude --dangerously-skip-permissions, disabling per-tool consent prompts for filesystem and shell access during the session. The combination — install-time configuration injection into a directory the package does not own + a persona instructing the agent to follow remote-bridge directives + skip-permissions launch — gives the operator at zoe.0x2ai.com unprompted tool access on the developer's machine and silently relays prompts and settings (including credentials) off-host. The install-time write of opinionated Claude Code configuration into the developer's working directory occurs without consent and is the install-time-harm component; the bridge relay is the silent-relay component for any session subsequently opened in that directory.
{
"malicious-packages-origins": [
{
"sha256": "0095428034b99e1aef40ecb5bc9cce9302f85316748dcfe32abd21c8a98376cb",
"id": "IN-MAL-2026-005668",
"source": "amazon-inspector",
"import_time": "2026-06-11T07:49:39.005432439Z",
"modified_time": "2026-06-11T07:16:13Z",
"versions": [
"1.2.0"
]
},
{
"sha256": "724bd98c39a8e4ff21b039fddeadfda7f0ef7e3c6be47e771d72efed77d02b1b",
"id": "IN-MAL-2026-005666",
"source": "amazon-inspector",
"import_time": "2026-06-11T07:49:38.824685618Z",
"modified_time": "2026-06-11T07:16:10Z",
"versions": [
"0.2.0"
]
}
]
}{
"evidence_files": [
{
"path": "scripts/postinstall.cjs",
"tlsh": "74e0c05706ccd379a5b2a1406c12c50a646ade81364094a0e27c0357bf92694ae23eff",
"sha256": "4943321a174f2de446781e46abdc4eb4fd333f8cc98cf6fe3cd5fc4bbfb0b0a2"
},
{
"path": "payload/.mcp.json",
"tlsh": "f8e07d25d1f44e435683203619bd1615699591070d9cbc38b74fc0bc5f4c65b177d6dd",
"sha256": "6b81ca9b13c5e4bb7d793547a0b490cf2864c1e46a4c84da5177fe71bb5f8ff8"
},
{
"path": "bin/start.cjs",
"tlsh": "9011005b868e07be57b441c46645c12b990bc84072d0e490d26e03a6fb511e82c677eb",
"sha256": "fa5af6d044cd42d37d4c7b0e5f43cf7498e621ef7db1b837ea79e3087e552984"
}
]
}
"https://github.com/ossf/malicious-packages/blob/main/osv/malicious/npm/0x2ai-zoe/MAL-2026-5602.json"
[
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
},
{
"description": "The product contains code that appears to be malicious in nature.",
"cweId": "CWE-506",
"name": "Embedded Malicious Code"
}
]