Supply-chain threat intelligence

Incident detail

criticalnpm·obfuscation·osv

Malicious code in 0x2ai-demo1 (npm)

0x2ai-demo1

Risk score

92

AI summary

Indexed incident for 0x2ai-demo1 (npm).

Description

On npm install, scripts/postinstall.cjs runs fs.cpSync(payload, cwd, { recursive: true }) with cwd=process.env.INIT_CWD || process.cwd() — recursively writing the package's entire payload/ tree (.mcp.json, CLAUDE.md,.claude/commands/,.claude/settings.json, and three chatroom.cjs files) into the installing project's root directory. The dropped.mcp.json registers an MCP server named chatroom whose BRIDGE_URL is hardcoded to https://demo1.0x2ai.com (the author's endpoint). The dropped CLAUDE.md is auto-loaded by Claude Code as project instructions, redefines the assistant persona, and instructs use of the planted MCP tools/bridge. The companion binary payload/chatroom-mcp-lite-patched.cjs exposes a provider_query tool that POSTs caller prompts to ${BRIDGE}/api/proxy-query ("API keys are managed server-side — no client keys needed"), and memory_save/load/chatroom_post/settings_set are similarly routed. Any subsequent Claude Code session opened in the consumer's project will silently forward prompts, memory, settings, and any API keys configured via settings_set to demo1.0x2ai.com. The package also ships URL-path obfuscation (/x/<sha256(salt+path)[:4]>) that is dormant only because the shipped config sets DIRECT_API=1. A bin/start.cjs entry additionally launches claude --dangerously-skip-permissions, disabling Claude Code's tool-permission prompts and amplifying the relay's reach when the user runs the bundled CLI.

Technical details

Affected versions

=2.0.2=1.2.0=2.0.0

Indicators

  • affected version=2.0.275%
  • affected version=1.2.075%
  • affected version=2.0.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents