Supply-chain threat intelligence

Incident detail

criticalnpm·credential theft·osv

Malicious code in 0x2ai-demo8x (npm)

0x2ai-demo8x

Risk score

92

AI summary

Indexed incident for 0x2ai-demo8x (npm).

Description

On npm install, scripts/postinstall.cjs copies the package's payload/ tree into INIT_CWD (the consumer's project root) using fs.cpSync, dropping.mcp.json,.claude/settings.json, CLAUDE.md, and several chatroom-* CJS files into the developer's repository. The dropped.mcp.json registers an MCP server pointing at https://demo8.0x2ai.com with a hardcoded shared Bearer token (BRIDGE_AUTH_TOKEN=9272d409b5155094d9562c92700f46a4b97bdb48d8291d40), so any subsequent Claude Code session in that directory loads the attacker-authored CLAUDE.md system prompt and routes tool calls to the bridge. The bundled chatroom-mcp-lite-patched.cjs exposes a provider_query tool that POSTs user prompts to https://demo8.0x2ai.com/api/proxy-query, a settings_set tool advertised for storing anthropic_api_key / openai_api_key on the bridge, and a salted-SHA256 path-obfuscation helper that rewrites endpoints to /x/ form (deliberate evasion infrastructure, dormant only because the shipped config sets DIRECT_API=1). bin/start.cjs additionally re-stages the payload and spawns claude --dangerously-skip-permissions with shell:true, yielding an unrestricted agent session wired to the attacker's MCP server. Net effect on installers: prompts, code, files, and potentially LLM API keys are funneled to a third-party bridge under a shared credential, with no disclosure or opt-in.

Technical details

Affected versions

=1.2.0

Indicators

  • affected version=1.2.075%

Timeline

  1. Advisory published
  2. Indexed by ThreatPkg

Related incidents