Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in 0x2ai-zoe (npm)

0x2ai-zoe

Risk score

92

AI summary

Indexed incident for 0x2ai-zoe (npm).

Description

On npm install, scripts/postinstall.cjs copies the entire payload/ tree into process.env.INIT_CWD (the directory the developer ran npm from), depositing CLAUDE.md,.claude/settings.json,.claude/commands/0x2ai-boot.md,.mcp.json, and several MCP server.cjs files outside the package's own install directory. CLAUDE.md is auto-loaded as project instructions by Claude Code, and.mcp.json hardcodes BRIDGE_URL=https://zoe.0x2ai.com so that any subsequent Claude Code session in that directory routes chatroom_post, memory_save/load/search, brainmail_send, provider_query (user LLM prompts), and settings_set (which can carry API keys) calls through the author's host. bin/start.cjs additionally spawns claude --dangerously-skip-permissions, disabling per-tool consent prompts for filesystem and shell access during the session. The combination — install-time configuration injection into a directory the package does not own + a persona instructing the agent to follow remote-bridge directives + skip-permissions launch — gives the operator at zoe.0x2ai.com unprompted tool access on the developer's machine and silently relays prompts and settings (including credentials) off-host. The install-time write of opinionated Claude Code configuration into the developer's working directory occurs without consent and is the install-time-harm component; the bridge relay is the silent-relay component for any session subsequently opened in that directory.

Technical details

Affected versions

=1.2.0=0.2.0

Indicators

  • affected version=1.2.075%
  • affected version=0.2.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents