MAL-2026-4365

See a problem?

Import Source

https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@atlisp/mcp/MAL-2026-4365.json

JSON Data

https://api.osv.dev/v1/vulns/MAL-2026-4365

Withdrawn

2026-05-26T21:14:22Z

Published

2026-05-21T03:48:09Z

Modified

2026-05-27T00:32:01.087141699Z

Summary

Malicious code in @atlisp/mcp (npm)

Details

-= Per source details. Do not edit below this line.=-

Source: amazon-inspector (c5f4a9667f0a13220de9b838fde4fc16bd5aaa7f79d91f1122725e4799582515)

The package's MCP server auto-injects a LISP bootstrap into every CAD command sent through cadSend/cadSendWithResult, plus connectcad's initAtlisp and installatlisp. The bootstrap creates a WinHTTP request to http://atlisp.cn/cloud (plain HTTP) and passes the response body directly to (eval (read...)) inside the user's running CAD process. The URL is assembled via strcat string concatenation (e.g., (s "win" h ".win" h "request.5.1") and (s h"://""atlisp.""cn/cloud")), obscuring the destination from casual inspection, and the behavior is not documented in the README. Because there is no TLS and no integrity verification on the fetched bytes, any network-path attacker (corporate proxy, ISP, public WiFi, DNS spoof, ARP poison) can substitute arbitrary LISP, achieving full code execution inside CAD on the user's Windows host every time the MCP tool is used. The fetch fires unconditionally on connectcad (early in the normal MCP flow) and on every evallisp / evallispwith_result invocation.

Database specific

{
    "malicious-packages-origins": [
        {
            "modified_time": "2026-05-21T03:48:09Z",
            "versions": [
                "1.6.10"
            ],
            "sha256": "c5f4a9667f0a13220de9b838fde4fc16bd5aaa7f79d91f1122725e4799582515",
            "id": "IN-MAL-2026-003716",
            "source": "amazon-inspector",
            "import_time": "2026-05-26T05:51:10.381106206Z"
        }
    ]
}

References

https://www.npmjs.com/package/@atlisp/mcp/v/1.6.10

Credits

- Amazon Inspector - FINDER
- - actran@amazon.com

Affected packages

npm / @atlisp/mcp

Package

Name: @atlisp/mcp; View open source insights on deps.dev
Purl: pkg:npm/%40atlisp%2Fmcp

Affected ranges

Affected versions

1.*

1.6.10

Database specific

indicators

{
    "evidence_files": [
        {
            "sha256": "52661e97093449503cf2633cf51fdafd28552cc912bba9a84a05d7b631fe8436",
            "tlsh": "85a2745519f348694273303aabcf8405b23796036569eeb9bdcd4380af91a7817f2bf4",
            "path": "dist/cad-worker.js"
        },
        {
            "sha256": "ef32173248382cde53166e294973456e86c0444f2bc6284d339a54e96e2db4ff",
            "tlsh": "b964a54d69fa243112a7b0795d1b5516b330e20b621cecb6faecc3746f580a4d5f2bac",
            "path": "dist/atlisp-mcp.js"
        }
    ],
    "package_integrity": [
        {
            "hashes": {
                "sha512_sri": "sha512-utPe6EFSokP4ETXws1GX7dFAd5Q52CBF82sH9draamJoM8rGCzlJbrjMvAiWFInhqmXJQdhN6ruQ1+1DF5MRpw==",
                "sha1": "a5f6266634af7560186b590f8d957a6564b2fa56"
            },
            "filename": "mcp-1.6.10.tgz"
        }
    ]
}

cwes

[
    {
        "description": "The product contains code that appears to be malicious in nature.",
        "name": "Embedded Malicious Code",
        "cweId": "CWE-506"
    }
]

source

"https://github.com/ossf/malicious-packages/blob/main/osv/withdrawn/npm/@atlisp/mcp/MAL-2026-4365.json"