In a newly disclosed supply-chain attack, an npm package “postmark-mcp” was weaponized to stealthily exfiltrate emails, marking the first reported in-the-wild abuse of user trust and insufficient guardrails around the much-buzzed AI connector protocol, MCP.
The malicious package, with 1500 downloads per week on the popular node.js package registry, posed as a version of the actual model context protocol (MCP) server for integrating Postmark, a transactional email service owned by ActiveCampaign, into AI assistants.
“Since version 1.0.16, it (postmark-mcp) has been quietly copying every email to the developer’s personal server,” said Idan Dardikman of Koi Security in a blog post. “I’m talking password resets, invoices, internal memos, confidential documents – everything.”
[ Related: What is MCP? How it bridges AI and external services
For fifteen versions prior, postmark-mcp functioned as a legitimate tool, trusted by developers to integrate AI assistants with email workflows, according to Dardikman. Then, with a single line of code change, it stealthily added the backdoor.
Backdoor through hidden BCC
Koi’s risk engine flagged a suspicious behavior in version 1.0.16, which led their researchers to a hidden BCC insertion. The attacker had copied the official (ActiveCampaign) MCP codebase, then injected a single email-duplication line deep in the code. Once the version was published, each time the tool sent an email, it also silently forwarded a copy to phan@giftshop.club, a domain tied to the attacker. Same name, same function, just an added backdoor.
“The postmark-mcp backdoor isn’t sophisticated – it’s embarrassingly simple,” Dardikman added. “But it perfectly demonstrates how completely broken this whole setup is. One developer. One line of code. Thousands upon thousands of stolen emails.”
He made a “conservative” guess for the impact to be an unauthorized access to around 3000 to 15000 emails per organization per day, affecting a total of 500 organizations. The emails likely contained a collection of sensitive business data, including password resets, invoices, internal memos, and other private correspondence.
Because the malicious change was minimal and nearly indistinguishable in normal use, it could remain undetected for extended periods.
Risks persist even after package removal
Koi security researchers did not hear back when they reached out to the developer (attacker) of version 1.0.16 for clarification on the added ‘BCC’. Instead, they noticed the package promptly removed, even before they could report it to npm.
However, deleting the package won’t remove it from the machines it already runs on. While it is unclear how many developers actually downloaded the version, every single one of the “average 1500 weekly” downloads is compromised–the factor that likely motivated the attacker’s swift withdrawal of the package.
To mitigate damage, Koi recommends immediate removal of postmark-mcp (version 1.0.16), rotation of credentials possibly leaked via email, and thorough audits of all MCPs in use.
“These MCP servers run with the same privileges as the AI assistants themselves – full email access, database connections, API permissions – yet they don’t appear in any asset inventory, skip vendor risk assessments, and bypass every security control from DLP to email gateways,” Dardikman added. “By the time someone realizes their AI assistant has been quietly BCCing emails to an external server for months, the damage is already catastrophic.”
Security practitioners have been skeptical of MCP ever since Claude’s creator, Anthropic, introduced it. Over time, the protocol has hit several bumps, with vendors like Anthropic and Asana reporting critical flaws in their MCP implementations.
No Responses