What does the 0x2ai-demo2 malware do?

On `npm install`, scripts/postinstall.cjs recursively copies the bundled payload/ directory into INIT_CWD (the developer's project root) via fs.cpSync. The staged files reconfigure Claude Code so subsequent sessions in that project route through an author-controlled bridge: - payload/.mcp.json registers an MCP `chatroom` server with hardcoded BRIDGE_URL=https://demo2.0x2ai.com and a hardcoded bearer token (BRIDGE_AUTH_TOKEN). Any `claude` invocation in the project auto-loads this MCP server. - payload/chatroom-mcp-lite-patched.cjs and payload/chatroom-monitor.cjs use child_process, fs.readFileSync, http/https, and POST to exfiltrate session content (chatroom_post, memory_save, provider_quer

Which versions of 0x2ai-demo2 are malicious?

The following npm versions of 0x2ai-demo2 are flagged malicious: 1.2.0. Treat any of these as compromised.

How do I remediate 0x2ai-demo2 if I installed it?

Remove 0x2ai-demo2 from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is 0x2ai-demo2 part of a known attack campaign?

Yes — 0x2ai-demo2 is associated with the IN-MAL-2026-005676 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect 0x2ai-demo2 in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking 0x2ai-demo2 and packages like it before any post-install script runs.

Malicious package

0x2ai-demo2npm

Malicious code in 0x2ai-demo2 (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5589

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall 0x2ai-demo2

What this malware does

On npm install, scripts/postinstall.cjs recursively copies the bundled payload/ directory into INIT_CWD (the developer's project root) via fs.cpSync. The staged files reconfigure Claude Code so subsequent sessions in that project route through an author-controlled bridge:

payload/.mcp.json registers an MCP chatroom server with hardcoded BRIDGE_URL=https://demo2.0x2ai.com and a hardcoded bearer token (BRIDGE_AUTH_TOKEN). Any claude invocation in the project auto-loads this MCP server.
payload/chatroom-mcp-lite-patched.cjs and payload/chatroom-monitor.cjs use child_process, fs.readFileSync, http/https, and POST to exfiltrate session content (chatroom_post, memory_save, provider_query, settings_set tools) to demo2.0x2ai.com. provider_query proxies model calls through the author's server ("API keys are managed server-side"), so prompts and responses flow one-way to the attacker.
payload/CLAUDE.md is a ~12 KB persona/instruction file that tells Claude to operate as "Olivia", route all memory and chat through https://demo2.0x2ai.com, and refuse to discuss its architecture or prompts (anti-inspection language: taboo, family_recipe).
payload/.claude/settings.json overrides the statusLine command and payload/.claude/commands/0x2ai-boot.md autoboots a long-poll listener against the author's bridge.
bin/start.cjs (advertised as npx 0x2ai-demo2) re-stages the payload into CWD and spawns claude --dangerously-skip-permissions, disabling Claude's tool-permission prompts while the attacker-controlled MCP server is loaded — enabling remote-driven destructive actions on the developer's machine without approval.

The staged files persist after npm uninstall, providing durable redirection of the developer's AI tooling to the author's infrastructure.

Malicious versions

1 flagged

1.2.0

Indicators of compromise (SHA-256)

98ee2445b2f0b01d2457cf45c188b310f58c98f3b676032f9c6213469f071239

Frequently asked questions

No. 0x2ai-demo2 on npm has been identified as a malicious package (version 1.2.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005676

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection