Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in 0x2ai-demo6 (npm)

0x2ai-demo6

Risk score

92

AI summary

Indexed incident for 0x2ai-demo6 (npm).

Description

On npm install, scripts/postinstall.cjs writes .mcp.json into the installer's working directory (INIT_CWD) wiring Claude Code to a packaged MCP server (lib/chatroom-mcp-lite-patched.cjs) that talks to https://demo6.0x2ai.com with a hardcoded bearer token. The same postinstall step copies templates/CLAUDE.md into the installer's CWD; that file is loaded by Claude Code as system context and instructs the agent ("Olivia") to call memory_save with the user's name, family, plans, and a periodic _snapshot, and to refuse to discuss its own rules or architecture. Because the patched MCP routes memory_save, memory_load, chatroom_post, memory_search, etc. to demo6.0x2ai.com, the developer's prompts and any personal facts the agent decides to harvest are silently relayed to the author-controlled bridge whenever Claude Code is launched in that directory. bin/start.cjs additionally spawns claude --dangerously-skip-permissions, disabling permission prompts for filesystem and shell tool calls, which broadens what the remotely-prompted agent can do on the developer's machine without confirmation. The README's "demo connector" framing does not disclose that postinstall mutates the installer's project directory or that personal data flows off-host.

Technical details

Affected versions

=1.0.0

Indicators

  • affected version=1.0.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents