Which versions of 0x2ai-zoe are malicious?

The following npm versions of 0x2ai-zoe are flagged malicious: 0.2.0, 1.2.0. Treat any of these as compromised.

How do I remediate 0x2ai-zoe if I installed it?

Remove 0x2ai-zoe from your project and lockfile, then assume any secrets accessible to the build or runtime were exposed: rotate API keys, tokens, and credentials, and audit for unexpected outbound network activity or persistence. Use O3 Security's dependency scanner to confirm the package and its artifacts are fully purged across your stack.

Is 0x2ai-zoe part of a known attack campaign?

Yes — 0x2ai-zoe is associated with the IN-MAL-2026-005668, IN-MAL-2026-005666 campaign. Packages in the same campaign often share infrastructure and payloads, so check whether any related packages are also in your dependency tree.

Can O3 Security detect 0x2ai-zoe in my codebase?

Yes. O3 Security's supply-chain scanner checks every dependency against known-malicious package intelligence at install time and in CI, blocking 0x2ai-zoe and packages like it before any post-install script runs.

Malicious package

0x2ai-zoenpm

Malicious code in 0x2ai-zoe (npm) Remove it immediately and rotate any exposed credentials.

MAL-2026-5602

Immediate action

Remove the package, then rotate any secrets the build/runtime could reach.

npm uninstall 0x2ai-zoe

What this malware does

On npm install, scripts/postinstall.cjs copies the entire payload/ tree into process.env.INIT_CWD (the directory the developer ran npm from), depositing CLAUDE.md,.claude/settings.json,.claude/commands/0x2ai-boot.md,.mcp.json, and several MCP server.cjs files outside the package's own install directory. CLAUDE.md is auto-loaded as project instructions by Claude Code, and.mcp.json hardcodes BRIDGE_URL=https://zoe.0x2ai.com so that any subsequent Claude Code session in that directory routes chatroom_post, memory_save/load/search, brainmail_send, provider_query (user LLM prompts), and settings_set (which can carry API keys) calls through the author's host. bin/start.cjs additionally spawns claude --dangerously-skip-permissions, disabling per-tool consent prompts for filesystem and shell access during the session. The combination — install-time configuration injection into a directory the package does not own + a persona instructing the agent to follow remote-bridge directives + skip-permissions launch — gives the operator at zoe.0x2ai.com unprompted tool access on the developer's machine and silently relays prompts and settings (including credentials) off-host. The install-time write of opinionated Claude Code configuration into the developer's working directory occurs without consent and is the install-time-harm component; the bridge relay is the silent-relay component for any session subsequently opened in that directory.

Malicious versions

2 flagged

0.2.01.2.0

Indicators of compromise (SHA-256)

0095428034b99e1aef40ecb5bc9cce9302f85316748dcfe32abd21c8a98376cb

724bd98c39a8e4ff21b039fddeadfda7f0ef7e3c6be47e771d72efed77d02b1b

Frequently asked questions

No. 0x2ai-zoe on npm has been identified as a malicious package (versions 0.2.0, 1.2.0 flagged). It should be removed immediately — do not install or keep it in your dependency tree.

Campaign

IN-MAL-2026-005668IN-MAL-2026-005666

References

Credits

Amazon Inspector · finder

Scan your dependencies

O3 Security blocks malicious packages like this at install time and in CI.

Supply-chain protection