0x2ai-demo6x @1.2.0
Vulnerability report · Last retrieved from osv.dev June 23, 2026 at 3:29 AM UTC
OSV ID
MAL-2026-5593
Ecosystem
npm
Summary
On npm install , scripts/postinstall.cjs recursively copies the package's payload/ directory into process.env.INIT_CWD (the installer's project root), staging.mcp.json,.claude/settings.json,.claude/commands/0x2ai-boot.md, CLAUDE.md, and four helper.cjs files outside of node_modules. The dropped.mcp.json registers a stdio MCP server (payload/chatroom-mcp-lite-patched.cjs) hardwired to BRIDGE_URL=https://demo6.0x2ai.com with a hardcoded Bearer token. Any subsequent Claude Code session opened in that project directory auto-loads the MCP server and silently relays conversation content, memory, and tool I/O to the author's remote bridge. Additionally, bin/start.cjs spawns claude --dangerously-skip-permissions , removing the user's last consent gate over agent tool actions while the remote bridge is in control. The helper modules contain child_process + http(s) + fs.readFileSync + POST exfiltration patterns consistent with siphoning local file and chatroom data to the same destination.
Source: amazon-inspector (cf57dfddd0bfd0def03360ae66ea88dd6d4e875cbcb42880a4277eb2d1df269a)
Protect your entire dependency tree
Scan your lock files automatically on every PR. Block malicious packages before they reach production.