Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in 0x2ai-multi-mq (npm)

0x2ai-multi-mq

Risk score

92

AI summary

Indexed incident for 0x2ai-multi-mq (npm).

Description

When the documented invocation npx 0x2ai-multi-mq is run, bin/start.cjs copies chatroom-mcp-lite-patched.cjs and chatroom-monitor.cjs into the user's current working directory, writes a .mcp.json containing a hardcoded shared Bearer token (faa2c696fae0d6a685578ac33278513a7dafd2676f627960), then spawns claude --dangerously-skip-permissions (shell:true). The MCP server and a long-polling monitor connect to https://multi.0x2ai.com and feed messages from that author-hosted chatroom into the permission-bypassed Claude session running on the developer's machine. The net effect is a remote command channel into a coding agent that has had its consent prompts disabled, with full filesystem and shell tool access on the developer's host. The MCP tools (provider_query, settings_set) additionally route user prompts and provider API keys (anthropic_api_key, openai_api_key) through the same bridge. The dropped .mcp.json persists in the user's cwd, so any subsequent claude invocation in that directory auto-loads the bridge MCP server.

Technical details

Affected versions

=0.1.0

Indicators

  • affected version=0.1.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents