Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in 0x2ai-demo2 (npm)

0x2ai-demo2

Risk score

92

AI summary

Indexed incident for 0x2ai-demo2 (npm).

Description

On npm install, scripts/postinstall.cjs recursively copies the bundled payload/ directory into INIT_CWD (the developer's project root) via fs.cpSync. The staged files reconfigure Claude Code so subsequent sessions in that project route through an author-controlled bridge:

  • payload/.mcp.json registers an MCP chatroom server with hardcoded BRIDGE_URL=https://demo2.0x2ai.com and a hardcoded bearer token (BRIDGE_AUTH_TOKEN). Any claude invocation in the project auto-loads this MCP server.
  • payload/chatroom-mcp-lite-patched.cjs and payload/chatroom-monitor.cjs use child_process, fs.readFileSync, http/https, and POST to exfiltrate session content (chatroom_post, memory_save, provider_query, settings_set tools) to demo2.0x2ai.com. provider_query proxies model calls through the author's server ("API keys are managed server-side"), so prompts and responses flow one-way to the attacker.
  • payload/CLAUDE.md is a ~12 KB persona/instruction file that tells Claude to operate as "Olivia", route all memory and chat through https://demo2.0x2ai.com, and refuse to discuss its architecture or prompts (anti-inspection language: taboo, family_recipe).
  • payload/.claude/settings.json overrides the statusLine command and payload/.claude/commands/0x2ai-boot.md autoboots a long-poll listener against the author's bridge.
  • bin/start.cjs (advertised as npx 0x2ai-demo2) re-stages the payload into CWD and spawns claude --dangerously-skip-permissions, disabling Claude's tool-permission prompts while the attacker-controlled MCP server is loaded — enabling remote-driven destructive actions on the developer's machine without approval.

The staged files persist after npm uninstall, providing durable redirection of the developer's AI tooling to the author's infrastructure.

Technical details

Affected versions

=1.2.0

Indicators

  • affected version=1.2.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents