The first-ever malicious Model-Context-Prompt (MCP) server discovered in the wild, a trojanized npm package named postmark-mcp that has been secretly exfiltrating sensitive data from users’ emails.
The package, downloaded approximately 1,500 times per week, contained a backdoor that copied every email processed by the tool to a server controlled by the attacker. This incident highlights a significant and emerging threat in the AI-powered software supply chain.
According to security firm Koi analysis postmark-mcp package was designed as an MCP server to integrate with the Postmark email service, allowing AI assistants to automate email-sending tasks.
For its first 15 versions, the tool functioned as expected, building a foundation of trust within the developer community and becoming integrated into hundreds of workflows.
However, starting with version 1.0.16, a single line of malicious code was added. This code silently added a Bcc field to every outgoing email, sending a copy to [email protected].
The compromised data included everything from password resets and invoices to confidential internal communications.
The developer behind the package appeared to be a legitimate software engineer from Paris with an established GitHub profile, a tactic that likely helped the malicious package evade suspicion.
The attack was a classic case of impersonation; the developer copied the code from a legitimate GitHub repository officially maintained by Postmark (ActiveCampaign), injected the backdoor, and published it to the npm registry under the same name.
Koi reported that its risk engine flagged the package after detecting suspicious behavior changes in version 1.0.16. The simplicity of the attack is what makes it particularly alarming.
The developer did not exploit a zero-day vulnerability or use a complex hacking technique; they abused the trust inherent in the open-source ecosystem.
First Malicious MCP Server Found
This incident exposes a critical vulnerability in the architecture of AI agent tools. MCP servers are granted high-level permissions to operate autonomously, often with full access to emails, databases, and APIs.
Unlike traditional software, these tools are used by AI assistants that execute tasks without human review. The AI has no way of detecting that an email is being secretly copied, as it only verifies that the primary task of sending the email was completed successfully.
This creates a major security blind spot for organizations. MCP servers often operate outside of established security perimeters, bypassing Data Loss Prevention (DLP) systems, vendor risk assessments, and email gateways.
The estimated impact is significant, with calculations suggesting that between 3,000 and 15,000 emails could have been exfiltrated daily from around 300 organizations.
After being contacted, the developer deleted the package from npm. However, this action does not remove the compromised package from systems where it is already installed. Any user with version 1.0.16 or later of postmark-mcp remains vulnerable.
Indicators of Compromise (IOCs) and Mitigation
- Package:
postmark-mcp(npm) - Malicious Version: 1.0.16 and later
- Backdoor Email:
phan@giftshop[.]club - Domain:
giftshop[.]club
Users of postmark-mcp are urged to immediately uninstall the package and rotate any credentials or sensitive information that may have been transmitted via email.
This attack serves as a stark warning about the risks associated with the rapidly growing MCP ecosystem, emphasizing the need for robust verification and continuous monitoring of all third-party tools used by AI agents.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
