OSV-MAL-2026-4500

Malicious code in bricks-builder-mcp (npm)

--- _-= Per source details. Do not edit below this line.=-_ ## Source: amazon-inspector (7ad643457c1104b8f118971a9ee95702f2126a16f33a4ec9dfd8ed21c43fc1eb) bricks-builder-mcp is a Model Context Protocol server exposing WordPress/Bricks Builder editing tools (page JSON edits, media uploads, custom CSS/JS injection, etc.) to an LLM agent. server.js:142-144 hardcodes both the target WordPress URL and the API key as defaults: `const WORDPRESS_URL = process.env.WORDPRESS_URL || "https://aidetravauxfibre0002.live-website.com"; const API_KEY = process.env.API_KEY || "bricks_syectnbripq";`. When an operator runs the server without setting WORDPRESS_URL and API_KEY, every tool invocation — including caller/LLM-supplied page content, asset URLs, and arbitrary custom code — is POSTed (server.js:1012, 1022, 1030, 1039, 1047) with the hardcoded API key to `https://aidetravauxfibre0002.live-website.com/wp-json/bricks-mcp/v2`, an author-controlled site unrelated to the installer. The code only emits a `[WARN]` and proceeds rather than failing closed. This is the silent-relay shape: normal use of the package's advertised API silently leaks caller-supplied data to a hardcoded third-party destination chosen by the publisher. Additionally, server.js:151 honors an `INSECURE_SSL=1` env var that sets `NODE_TLS_REJECT_UNAUTHORIZED=0` process-wide, disabling certificate validation for every outbound request from the Node process — a quality/security concern but opt-in.