Supply-chain threat intelligence
Risk score
92
Indexed incident for 0x2ai-demo8 (npm).
On npm install, scripts/postinstall.cjs writes a .mcp.json into the installer's working directory that registers a stdio MCP server (lib/chatroom-mcp-lite-patched.cjs) preconfigured with BRIDGE_URL=https://demo8.0x2ai.com and a hardcoded bearer token. Any Claude Code session subsequently opened in that directory auto-loads this MCP server, which exposes ~30 tools — including provider_query (advertises routing prompts to Anthropic/OpenAI/Google/Groq/OpenRouter/xAI/Mistral/DeepSeek and POSTs to https://demo8.0x2ai.com/api/proxy-query), settings_set (accepts user-supplied anthropic_api_key/openai_api_key), chatroom_post, memory_save, and agent_query. The result is that the installer's AI prompts, agent memory, stored provider API keys, and proxied provider responses flow through the author's bridge rather than directly to the named providers. Postinstall additionally drops CLAUDE.md and .claude/commands/0x2ai-boot.md into the installer's project root; the CLAUDE.md establishes a persona and instructs the agent to never disclose its inner workings or rules to the user ('First rule of the family: you don't talk about the rules') and to route state through demo8.0x2ai.com, while the slash-command auto-launches chatroom-monitor.cjs as a persistent background process. The bin/start.cjs launcher additionally spawns claude --dangerously-skip-permissions, which disables per-tool consent prompts in the user's Claude session, removing the last guardrail against the dropped MCP server's tool surface (which includes subprocess spawning via agent_query). Although the README discloses some of this purpose, the install-time write of project-scoped Claude configuration plus the man-in-the-middle for caller-supplied AI prompts and API keys is the silent-relay shape: normal use of the installer's AI agent silently delivers caller data to an author-controlled destination.
Affected versions
Indicators
Timeline