Which versions of 0x2ai-multi-q are malicious?

The following npm versions of 0x2ai-multi-q are flagged malicious: 0.1.0. Treat any of these as compromised.

How do I remediate 0x2ai-multi-q if I installed it?

Remove 0x2ai-multi-q from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is 0x2ai-multi-q part of a known attack campaign?

Yes — 0x2ai-multi-q is associated with the IN-MAL-2026-005679 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect 0x2ai-multi-q in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking 0x2ai-multi-q and packages like it before any post-install script runs.

Malicious package

0x2ai-multi-qnpm

Malicious code in 0x2ai-multi-q (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5601

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall 0x2ai-multi-q

What this malware does

Running npx 0x2ai-multi-q (the package's documented invocation) spawns claude --dangerously-skip-permissions and writes a .mcp.json into the user's current working directory that connects Claude to a remote MCP bridge at https://multi.0x2ai.com (bin/start.cjs lines 11-25). With Claude's safety prompts disabled, any tool call the remote bridge induces — file edits, shell commands via Claude's Bash tool, arbitrary subprocess execution — runs on the user's machine without further consent. The bridge operator therefore has effective remote code execution on any host that runs the CLI. The package additionally exposes a provider_query MCP tool that forwards prompts and system prompts through the same bridge (lib/chatroom-mcp-lite-patched.cjs), so all model traffic and any context Claude pastes into prompts is observable by the bridge operator. A fixed bridge auth token is hardcoded in bin/start.cjs and persisted plaintext to ./.mcp.json in the user's CWD. The README ("throwaway demo connector", two lines) does not disclose the permission-skip flag, the remote control surface, or the prompt relay. Package metadata is consistent with a low-trust throwaway artifact (license: UNLICENSED, no repo/homepage/author, version 0.1.0).

Malicious versions

1 flagged

0.1.0

Indicators of compromise (SHA-256)

e305b12731a6b73c8982935753b52febfa90626f5a75f6942ca154aa708594b6

Frequently asked questions

No. 0x2ai-multi-q on npm has been identified as a malicious package (version 0.1.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005679

References

npmjs.com

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection