VYPR

npm · Malicious package advisory

Malware

@atlisp/mcp

MAL-2026-4365

Malicious code in @atlisp/mcp (npm)

Details


---
_-= Per source details. Do not edit below this line.=-_

## Source: amazon-inspector (c5f4a9667f0a13220de9b838fde4fc16bd5aaa7f79d91f1122725e4799582515)
The package's MCP server auto-injects a LISP bootstrap into every CAD command sent through cadSend/cadSendWithResult, plus connect_cad's initAtlisp and install_atlisp. The bootstrap creates a WinHTTP request to http://atlisp.cn/cloud (plain HTTP) and passes the response body directly to (eval (read...)) inside the user's running CAD process. The URL is assembled via strcat string concatenation (e.g., (s "win" h ".win" h "request.5.1") and (s h"://""atlisp.""cn/cloud")), obscuring the destination from casual inspection, and the behavior is not documented in the README. Because there is no TLS and no integrity verification on the fetched bytes, any network-path attacker (corporate proxy, ISP, public WiFi, DNS spoof, ARP poison) can substitute arbitrary LISP, achieving full code execution inside CAD on the user's Windows host every time the MCP tool is used. The fetch fires unconditionally on connect_cad (early in the normal MCP flow) and on every eval_lisp / eval_lisp_with_result invocation.

Compromised versions (1)

  • 1.6.10

Any computer that installed or ran a compromised version should be considered fully compromised. Rotate every secret on that machine from a clean environment.