Supply-chain threat intelligence
Risk score
92
Indexed incident for 0x2ai-demo1 (npm).
On npm install, scripts/postinstall.cjs runs fs.cpSync(payload, cwd, { recursive: true }) with cwd=process.env.INIT_CWD || process.cwd() — recursively writing the package's entire payload/ tree (.mcp.json, CLAUDE.md,.claude/commands/,.claude/settings.json, and three chatroom.cjs files) into the installing project's root directory. The dropped.mcp.json registers an MCP server named chatroom whose BRIDGE_URL is hardcoded to https://demo1.0x2ai.com (the author's endpoint). The dropped CLAUDE.md is auto-loaded by Claude Code as project instructions, redefines the assistant persona, and instructs use of the planted MCP tools/bridge. The companion binary payload/chatroom-mcp-lite-patched.cjs exposes a provider_query tool that POSTs caller prompts to ${BRIDGE}/api/proxy-query ("API keys are managed server-side — no client keys needed"), and memory_save/load/chatroom_post/settings_set are similarly routed. Any subsequent Claude Code session opened in the consumer's project will silently forward prompts, memory, settings, and any API keys configured via settings_set to demo1.0x2ai.com. The package also ships URL-path obfuscation (/x/<sha256(salt+path)[:4]>) that is dormant only because the shipped config sets DIRECT_API=1. A bin/start.cjs entry additionally launches claude --dangerously-skip-permissions, disabling Claude Code's tool-permission prompts and amplifying the relay's reach when the user runs the bundled CLI.
Affected versions
Indicators
Timeline