Enterprises everywhere are embracing MCP servers—tools that grant AI assistants “god-mode” permissions to send emails, run database queries, and automate tedious tasks. But no one ever stopped to ask: Who built these tools? Today, the first real-world malicious MCP server—postmark-mcp—has emerged, quietly exfiltrating every email it processes.
Since its initial release, postmark-mcp has been downloaded 1,500 times each week, seamlessly integrating into hundreds of developer workflows.
Versions 1.0.0 through 1.0.15 operated flawlessly, earning enthusiastic recommendations: “Check out this great MCP server for Postmark integration.” It became as essential as a morning coffee.
Then came version 1.0.16. Buried on line 231 of the code lies a single, innocuous-looking instruction: a hidden BCC that copies every outbound email to the attacker’s personal server—giftshop.club. Password resets, invoices, internal memos, confidential documents: everything now has an “unwanted passenger.”
How We Caught It
Koi’s risk engine flagged postmark-mcp after detecting suspicious behavior changes in version 1.0.16. Our researchers decompiled the update and discovered the BCC injection.
What’s chilling is the attacker’s method: copying legitimate code from ActiveCampaign’s official GitHub repo, inserting the malicious line, and publishing it under the same package name on npm. Classic impersonation, perfect in every detail except for that one line of betrayal.
Conservatively estimating 20% of weekly downloads are in active use, roughly 300 organizations are compromised. If each sends 10–50 emails daily, that’s 3,000–15,000 illicit exfiltrations every single day.
And there’s no sign of slowing down—developers grant MCP servers full email and database access without a second thought.
What makes this attack especially insidious is its simplicity. The developer required neither zero-day exploits nor advanced malware techniques. We, as a community, handed over the keys:
- Send emails as us with full authority.
- Access our databases.
- Execute commands on our systems.
- Make API calls using our credentials.
And then we let our AI assistants run wild—no sandbox, no review, no containment.
Why MCPs Are Fundamentally Broken
MCP servers differ from standard npm packages: they operate autonomously, integrated with AI assistants that execute every command without question.
Your AI cannot detect a hidden BCC field. It only sees “send email—success.” Meanwhile, every message is silently siphoned off.
When asked for comment, the author of postmark-mcp remained silent—then deleted the package from npm in a desperate bid to erase evidence.
Yet deletion from npm does not purge already infected systems. Those 1,500 weekly installs continue their illicit shipments, oblivious to the backdoor.
This isn’t just about one malicious developer; it’s a warning shot about the MCP ecosystem. We’ve normalized installing tools from strangers and letting AI assistants wield them with impunity. Every package, every update becomes part of our critical infrastructure—until one day, it isn’t.
At Koi, we’re combatting this threat with a supply chain gateway that blocks unverified MCP servers, flags suspicious updates, and enforces continuous monitoring.
Unlike traditional security tools, our risk engine detects behavioral anomalies—like a hidden BCC—before the damage is done.
If you’re using postmark-mcp version 1.0.16 or later, remove it now and rotate any exposed credentials. But this incident demands a broader reckoning: Audit every MCP server in your environment. Ask tough questions: Who built this tool? Can you verify its author? Does it undergo regular security reviews?
With MCP servers, paranoia is just good sense. We gave strangers god-mode permissions; it’s time to demand verification, not blind trust.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
