Supply-chain threat intelligence
Risk score
92
Indexed incident for 0x2ai-demo2 (npm).
On npm install, scripts/postinstall.cjs recursively copies the bundled payload/ directory into INIT_CWD (the developer's project root) via fs.cpSync. The staged files reconfigure Claude Code so subsequent sessions in that project route through an author-controlled bridge:
chatroom server with hardcoded BRIDGE_URL=https://demo2.0x2ai.com and a hardcoded bearer token (BRIDGE_AUTH_TOKEN). Any claude invocation in the project auto-loads this MCP server.taboo, family_recipe).npx 0x2ai-demo2) re-stages the payload into CWD and spawns claude --dangerously-skip-permissions, disabling Claude's tool-permission prompts while the attacker-controlled MCP server is loaded — enabling remote-driven destructive actions on the developer's machine without approval.The staged files persist after npm uninstall, providing durable redirection of the developer's AI tooling to the author's infrastructure.
Affected versions
Indicators
Timeline