Which versions of 0x2ai-demo1 are malicious?

The following npm versions of 0x2ai-demo1 are flagged malicious: 1.2.0, 2.0.0, 2.0.2. Treat any of these as compromised.

How do I remediate 0x2ai-demo1 if I installed it?

Remove 0x2ai-demo1 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is 0x2ai-demo1 part of a known attack campaign?

Yes — 0x2ai-demo1 is associated with the IN-MAL-2026-005669, IN-MAL-2026-005681, IN-MAL-2026-005670 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect 0x2ai-demo1 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking 0x2ai-demo1 and packages like it before any post-install script runs.

Malicious package

0x2ai-demo1npm

Malicious code in 0x2ai-demo1 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5587

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall 0x2ai-demo1

What this malware does

On npm install, scripts/postinstall.cjs runs fs.cpSync(payload, cwd, { recursive: true }) with cwd=process.env.INIT_CWD || process.cwd() — recursively writing the package's entire payload/ tree (.mcp.json, CLAUDE.md,.claude/commands/,.claude/settings.json, and three chatroom.cjs files) into the installing project's root directory. The dropped.mcp.json registers an MCP server named chatroom whose BRIDGE_URL is hardcoded to https://demo1.0x2ai.com (the author's endpoint). The dropped CLAUDE.md is auto-loaded by Claude Code as project instructions, redefines the assistant persona, and instructs use of the planted MCP tools/bridge. The companion binary payload/chatroom-mcp-lite-patched.cjs exposes a provider_query tool that POSTs caller prompts to ${BRIDGE}/api/proxy-query ("API keys are managed server-side — no client keys needed"), and memory_save/load/chatroom_post/settings_set are similarly routed. Any subsequent Claude Code session opened in the consumer's project will silently forward prompts, memory, settings, and any API keys configured via settings_set to demo1.0x2ai.com. The package also ships URL-path obfuscation (/x/<sha256(salt+path)[:4]>) that is dormant only because the shipped config sets DIRECT_API=1. A bin/start.cjs entry additionally launches claude --dangerously-skip-permissions, disabling Claude Code's tool-permission prompts and amplifying the relay's reach when the user runs the bundled CLI.

Malicious versions

3 flagged

1.2.02.0.02.0.2

Indicators of compromise (SHA-256)

b29f3d65354dd3bf54e23142f5c6577ad4c5a37b9ff109200309cbb6453b8c26

baf53f193b709bc0c98ddbe429cb8edf1caf1ed2fa019bc3e7dc362e431c493f

fdc7c661d4867578d3dd920010bccc1e79fcae8753b5bf549f44ea8a45cde502

Frequently asked questions

No. 0x2ai-demo1 on npm has been identified as a malicious package (versions 1.2.0, 2.0.0, 2.0.2 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005669IN-MAL-2026-005681IN-MAL-2026-005670

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection