.png)
2 hours ago
2
A fake npm package posing as Postmark's MCP (Model Context Protocol) server silently stole potentially thousands of emails a day by adding a single line of code that secretly copied outgoing messages to an attacker-controlled address.
In a blog post late last week, Postmark warned users about "postmark-mcp" on npm impersonating the email delivery service and stealing its users' emails.
"We want to be crystal clear: Postmark had absolutely nothing to do with this package or the malicious activity," the company said on September 25. "Here's what happened: A malicious actor created a fake package on npm impersonating our name, built trust over 15 versions, then added a backdoor in version 1.0.16 that secretly BCC'd emails to an external server."
If you downloaded the fake package, Postmark recommends immediately removing it, checking email logs for suspicious activity, and rotating any credentials sent via email.
While we don't know how many organizations were affected by this security incident, Postmark boasts "thousands" of customers, including Ikea, Asana, Minecraft, and 1Password, on its website.
And Koi Security, which discovered the malicious package, says it was downloaded about 1,500 times in a week, integrated into hundreds of developer workflows, and likely stole thousands of emails every day before the Paris-based developer removed the malicious package.
In the meantime, however, it may have exposed all sorts of sensitive emails that included password resets, multi-factor authentication codes, invoices, financial details, confidential business documents, and customer information.
It's a warning shot about the MCP ecosystem itself
"The postmark-mcp backdoor isn't just about one malicious developer or 1,500 weekly compromised installations," Koi Security co-founder and CTO Idan Dardikman said last week. "It's a warning shot about the MCP ecosystem itself."
Postmark's MCP server - which is published on GitHub, not npm - allows businesses' AI assistants to send and manage emails.
It does this using MCP, an open protocol that allows AI systems to connect to external tools and data sources. Plus, as researchers have repeatedly shown since its rollout last year, it's also a veritable landmine of security threats.
"We're handing god-mode permissions to tools built by people we don't know, can't verify, and have no reason to trust," Dardikman wrote. "These aren't just npm packages - they're direct pipelines into our most sensitive operations, automated by AI assistants that will use them thousands of times without question."
The Register emailed the developer and did not immediately receive a response to our questions. We will update this story if and when we hear back from them.
It appears, however, that the developer took the legitimate code from the Postmark MCP server's GitHub repository, added the line of code to BCC all emails to "phan@giftshop[.]club", and published it to npm under the name "postmark-mcp" to mimic the official GitHub repo.
- 'Powerful but dangerous' full MCP support beta for ChatGPT arrives
- Vibe coding tool Cursor's MCP implementation allows persistent code execution
- GitHub moves to tighten npm security amid phishing, malware plague
- Self-propagating worm fuels latest npm supply chain compromise
Dardikman estimates that of the 1,500 weekly downloads, around 20 percent are in use, and puts that number at about 300 organizations using the infected MCP server to send between 10 and 50 emails daily.
"We're talking about 3,000 to 15,000 emails EVERY DAY flowing straight to giftshop.club," he wrote. "And the truly messed up part? The developer didn't hack anything. Didn't exploit a zero-day. Didn't use some sophisticated attack vector. We literally handed him the keys, said 'here, run this code with full permissions,' and let our AI assistants use it hundreds of times a day."
In addition to highlighting the security risks inherent to MCP servers, this is also another example of how easy it is to poison npm packages - or, really, any repository of open source packages - and its potential for massive supply chain attacks.
This month alone, we've seen phishing attacks on npm package maintainers and hundreds of packages infected by secret-stealing malware.
In response, GitHub, which owns the npm registry for JavaScript packages, says it is tightening security. This includes shortening security token lifetimes and switching to two-factor-authentication-enforced local publishing by default "in the near future." ®
