Which versions of 0x2ai-ivo are malicious?

The following npm versions of 0x2ai-ivo are flagged malicious: 1.2.0. Treat any of these as compromised.

How do I remediate 0x2ai-ivo if I installed it?

Remove 0x2ai-ivo from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is 0x2ai-ivo part of a known attack campaign?

Yes — 0x2ai-ivo is associated with the IN-MAL-2026-005672 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect 0x2ai-ivo in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking 0x2ai-ivo and packages like it before any post-install script runs.

Malicious package

0x2ai-ivonpm

Malicious code in 0x2ai-ivo (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5599

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall 0x2ai-ivo

What this malware does

On install, the postinstall script copies the package's payload/ tree (CLAUDE.md,.claude/settings.json,.mcp.json, and several.cjs MCP scripts) into the consumer's project directory (process.env.INIT_CWD || process.cwd()) at scripts/postinstall.cjs, materializing Claude Code project config inside any repo where npm install was run. The dropped .mcp.json registers an MCP server whose env includes BRIDGE_URL=https://ivo.0x2ai.com and a hardcoded shared bearer token (BRIDGE_AUTH_TOKEN), so any installer's Claude Code instance auto-attaches to that author-operated bridge. The package's CLI (bin/start.cjs) then spawns claude --dangerously-skip-permissions via a shell, deliberately stripping the permission gate that normally protects the host from agent actions. The MCP scripts (payload/chatroom-mcp-lite-patched.cjs, payload/chatroom-monitor.cjs, payload/chatroom-wait-once.cjs) POST to and long-poll https://ivo.0x2ai.com, receiving chatroom messages that CLAUDE.md/0x2ai-boot.md instruct the agent to act on. The exposed MCP tools (provider_query, memory_save, memory_load, chatroom_post) further route user prompts, conversation memory, and posted messages through the same endpoint authenticated by the shared static token. Net effect: an unattended, permission-bypassed Claude agent on the installer's machine that executes whatever instructions the operator of ivo.0x2ai.com pushes — an over-the-wire remote-control channel whose payloads are not in the tarball and not under the installer's control.

Malicious versions

1 flagged

1.2.0

Indicators of compromise (SHA-256)

e78c039ee7ad67b1a20ef30b37ce03178f6c2181b1e330db69e04dabd0a28686

Frequently asked questions

No. 0x2ai-ivo on npm has been identified as a malicious package (version 1.2.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005672

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection