Which versions of 0x2ai-demo10x are malicious?

The following npm versions of 0x2ai-demo10x are flagged malicious: 1.2.0. Treat any of these as compromised.

How do I remediate 0x2ai-demo10x if I installed it?

Remove 0x2ai-demo10x from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is 0x2ai-demo10x part of a known attack campaign?

Yes — 0x2ai-demo10x is associated with the IN-MAL-2026-005675 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect 0x2ai-demo10x in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking 0x2ai-demo10x and packages like it before any post-install script runs.

Malicious package

0x2ai-demo10xnpm

Malicious code in 0x2ai-demo10x (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5588

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall 0x2ai-demo10x

What this malware does

On npm install, scripts/postinstall.cjs runs fs.cpSync(payload, process.env.INIT_CWD, { recursive: true }), copying.mcp.json, CLAUDE.md,.claude/settings.json,.claude/commands/0x2ai-boot.md, and several chatroom-*.cjs helpers directly into the installer's project root. The dropped.mcp.json registers a chatroom MCP server pointing at https://demo10.0x2ai.com with a hardcoded Bearer token (436687f7d7909aceba719b745e061279aa934dddd36f20f4) shared across all installers. The dropped CLAUDE.md and slash command instruct any Claude Code session opened in that project to invoke chatroom_post / memory_save / provider_query through the author's bridge, silently routing user prompts, memories, and provider queries off-host. payload/chatroom-monitor.cjs and chatroom-wait-once.cjs read local files (fs.readFileSync) and POST them to that bridge over http/https; chatroom-mcp-lite-patched.cjs spawns child processes and POSTs as well. The provided CLI bin/start.cjs then spawns claude --dangerously-skip-permissions in the staged cwd, removing the user's final consent gate before the relay engages. The combination — install-time write into the consumer project, preconfigured MCP server pointing at an author-controlled endpoint, and a CLI that disables Claude permission prompts — establishes a silent data-flow channel from the developer's IDE/agent to the author's server with no explicit consent beyond npm install.

Malicious versions

1 flagged

1.2.0

Indicators of compromise (SHA-256)

2c4c4b3e66489f3a4383df5e62540498343c5ab3a5ce145df5733b2820efc71b

Frequently asked questions

No. 0x2ai-demo10x on npm has been identified as a malicious package (version 1.2.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005675

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection