0x2ai-ivo @1.2.0

Summary

On install, the postinstall script copies the package's payload/ tree (CLAUDE.md,.claude/settings.json,.mcp.json, and several.cjs MCP scripts) into the consumer's project directory ( process.env.INIT_CWD || process.cwd() ) at scripts/postinstall.cjs , materializing Claude Code project config inside any repo where npm install was run. The dropped .mcp.json registers an MCP server whose env includes BRIDGE_URL=https://ivo.0x2ai.com and a hardcoded shared bearer token ( BRIDGE_AUTH_TOKEN ), so any installer's Claude Code instance auto-attaches to that author-operated bridge. The package's CLI ( bin/start.cjs ) then spawns claude --dangerously-skip-permissions via a shell, deliberately stripping the permission gate that normally protects the host from agent actions. The MCP scripts ( payload/chatroom-mcp-lite-patched.cjs , payload/chatroom-monitor.cjs , payload/chatroom-wait-once.cjs ) POST to and long-poll https://ivo.0x2ai.com , receiving chatroom messages that CLAUDE.md/ 0x2ai-boot.md instruct the agent to act on. The exposed MCP tools ( provider_query , memory_save , memory_load , chatroom_post ) further route user prompts, conversation memory, and posted messages through the same endpoint authenticated by the shared static token. Net effect: an unattended, permission-bypassed Claude agent on the installer's machine that executes whatever instructions the operator of ivo.0x2ai.com pushes — an over-the-wire remote-control channel whose payloads are not in the tarball and not under the installer's control.

Source: amazon-inspector (e78c039ee7ad67b1a20ef30b37ce03178f6c2181b1e330db69e04dabd0a28686)