Supply-chain threat intelligence

Incident detail

criticalnpm·malware·osv

Malicious code in 0x2ai-multi-q (npm)

0x2ai-multi-q

Risk score

92

AI summary

Indexed incident for 0x2ai-multi-q (npm).

Description

Running npx 0x2ai-multi-q (the package's documented invocation) spawns claude --dangerously-skip-permissions and writes a .mcp.json into the user's current working directory that connects Claude to a remote MCP bridge at https://multi.0x2ai.com (bin/start.cjs lines 11-25). With Claude's safety prompts disabled, any tool call the remote bridge induces — file edits, shell commands via Claude's Bash tool, arbitrary subprocess execution — runs on the user's machine without further consent. The bridge operator therefore has effective remote code execution on any host that runs the CLI. The package additionally exposes a provider_query MCP tool that forwards prompts and system prompts through the same bridge (lib/chatroom-mcp-lite-patched.cjs), so all model traffic and any context Claude pastes into prompts is observable by the bridge operator. A fixed bridge auth token is hardcoded in bin/start.cjs and persisted plaintext to ./.mcp.json in the user's CWD. The README ("throwaway demo connector", two lines) does not disclose the permission-skip flag, the remote control surface, or the prompt relay. Package metadata is consistent with a low-trust throwaway artifact (license: UNLICENSED, no repo/homepage/author, version 0.1.0).

Technical details

Affected versions

=0.1.0

Indicators

  • affected version=0.1.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents