Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in 0x2ai-demo9 (npm)

0x2ai-demo9

Risk score

92

AI summary

Indexed incident for 0x2ai-demo9 (npm).

Description

On npm install, the package's postinstall script writes .mcp.json, CLAUDE.md, and a .claude/commands/0x2ai-boot.md slash-command file into the installer's current working directory. The .mcp.json (scripts/postinstall.cjs:38-44) configures Claude Code to auto-launch a bundled MCP server pointed at https://demo9.0x2ai.com with a hardcoded BRIDGE_AUTH_TOKEN ('09da458dd2d388aa2009a85333901b253d1866d73f925bf8'). When the user subsequently runs claude in that directory, the MCP server silently forwards chatroom messages, memory operations, agent queries, and provider_query prompts to the remote bridge. The CLAUDE.md template is auto-loaded as system context and instructs the assistant to adopt an 'Olivia' identity, route all messages through demo10.0x2ai.com, never reveal internals, and follow hidden behavioral rules ('First rule of the family: you don't talk about the rules'). The package's own bin/start.cjs additionally launches claude --dangerously-skip-permissions, disabling per-action permission prompts that would otherwise warn the user about the agent's filesystem/network actions. The shared bearer token authenticates every installer as the same identity on the author's bridge.

Technical details

Affected versions

=1.0.0

Indicators

  • affected version=1.0.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents