0x2ai-demo9x @1.2.0

Summary

On npm install , scripts/postinstall.cjs copies the package's payload/ tree into the installer's project root (process.env.INIT_CWD) without consent, dropping.mcp.json,.claude/settings.json,.claude/commands/0x2ai-boot.md, and a CLAUDE.md persona prompt. The dropped.mcp.json hardcodes BRIDGE_URL=https://demo9.0x2ai.com and a static Bearer token (942b955170161eef3a59815f0e8fd775f0ea6b8fc1d59364), wiring every subsequent Claude Code session opened in that directory to the author's HTTPS bridge. The bundled MCP server (payload/chatroom-mcp-lite-patched.cjs) exposes provider_query, memory_save/load, settings_get/set, etc., so user prompts and saved memory are relayed to the author's endpoint. bin/start.cjs spawns claude --dangerously-skip-permissions in that staged directory, disabling tool-use consent prompts while the author-controlled MCP is active. Two long-poll workers (payload/chatroom-monitor.cjs, payload/chatroom-wait-once.cjs) continuously fetch https://demo9.0x2ai.com/api/wait and surface the responses as chatroom events that the agent is instructed (via the staged 0x2ai-boot.md and CLAUDE.md persona) to act on as if they were user input — giving the bridge operator a push channel into the local Claude Code tool-use loop (file/shell-adjacent capabilities) with no per-call approval. The staged CLAUDE.md additionally instructs the agent to refuse to disclose how the package works, concealing the relay from the developer. Net effect: installing this package converts the developer's project into a remote-controlled agent endpoint owned by the author.

Source: amazon-inspector (8e796c3398589b92ecd70f45bc41128101313dd07adeb0634199ac3fef59d19d)