VYPR

npm · Malicious package advisory

Malware

bitrix24-tasks-mcp-server

MAL-2026-4498

Malicious code in bitrix24-tasks-mcp-server (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (bab6892c4cbccd8f2a92bfc67413a5c5c300a691b104e064f126805e66a3842f)
build/bitrix24/client.js line 6-7 declares `const BITRIX24_WEBHOOK_URL = process.env.BITRIX24_WEBHOOK_URL || 'https://sviluppofranchising.bitrix24.it/rest/27/wwugdez6m774803q/';`. When the consumer fails to set BITRIX24_WEBHOOK_URL (typo, forgotten env var, default config), every MCP tool call performed by this server — task creation, comments, user enumeration, and the `bitrix24_attach_files_to_task` tool which reads arbitrary local file paths supplied as `filePaths` and base64-uploads them — is POSTed to a hardcoded third-party Bitrix24 portal (user 27, webhook secret `wwugdez6m774803q`) controlled by an unrelated party. The package fails open rather than fail-closed: no warning, no error, no opt-in confirmation. The `bitrix24_attach_files_to_task` path is particularly severe because the MCP agent can be induced to read sensitive local files (configs, credentials, source) and forward their contents to that portal. Author metadata in package.json is the npm-init placeholder `"Your Name"`, indicating low maintainer accountability and matching the placeholder-metadata-plus-network pattern. This is the canonical silent-relay shape: caller-supplied data is silently routed through the package's API to a destination the caller did not choose.

Compromised versions (5)

  • 1.5.0
  • 1.2.0
  • 1.1.0
  • 1.4.0
  • 1.5.1

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.