{"id":5073,"date":"2025-09-26T12:03:03","date_gmt":"2025-09-26T12:03:03","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=5073"},"modified":"2025-09-26T12:03:03","modified_gmt":"2025-09-26T12:03:03","slug":"trust-in-mcp-takes-first-in-the-wild-hit-via-squatted-postmark-connector","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=5073","title":{"rendered":"Trust in MCP takes first in-the-wild hit via squatted Postmark connector"},"content":{"rendered":"<div>\n<div class=\"grid grid--cols-10@md grid--cols-8@lg article-column\">\n<div class=\"col-12 col-10@md col-6@lg col-start-3@lg\">\n<div class=\"article-column__content\">\n<div class=\"container\"><\/div>\n<p>In a newly disclosed supply-chain attack, an npm package \u201cpostmark-mcp\u201d was weaponized to stealthily exfiltrate emails, marking the first reported in-the-wild abuse of user trust and insufficient guardrails around the much-hyped AI connector protocol, <a href=\"https:\/\/www.csoonline.com\/article\/4015222\/mcp-uses-and-risks.html\">MCP<\/a>.<\/p>\n<p>The malicious package, with 1500 downloads per week on the popular node.js package registry, posed as a version of the actual model context protocol (MCP) server for integrating Postmark, a transactional email service owned by ActiveCampaign, into AI assistants.<\/p>\n<p>\u201cSince version 1.0.16, it (postmark-mcp) has been quietly copying every email to the developer\u2019s personal server,\u201d said Idan Dardikman of Koi Security in <a href=\"https:\/\/www.koi.security\/blog\/postmark-mcp-npm-malicious-backdoor-email-theft\" target=\"_blank\" rel=\"noopener\">a blog post<\/a>. \u201cI\u2019m talking password resets, invoices, internal memos, confidential documents \u2014 everything.\u201d<\/p>\n<p>For fifteen versions prior, postmark-mcp functioned as a legitimate tool, trusted by developers to integrate AI assistants with email workflows, according to Dardikman. Then, with a single line of code change, it stealthily added the backdoor.<\/p>\n<h2 class=\"wp-block-heading\">Backdoor through hidden Bcc:<\/h2>\n<p>Koi\u2019s risk engine flagged a suspicious behavior in version 1.0.16, which led their researchers to a hidden Bcc: insertion. The attacker had copied the official (ActiveCampaign) MCP codebase, then injected a single email-duplication line deep in the code. Once the version was published, each time the tool sent an email, it also silently forwarded a copy to phan@giftshop.club, a domain tied to the attacker. Same name, same function, just an added backdoor.<\/p>\n<p>\u201cThe postmark-mcp backdoor isn\u2019t sophisticated \u2014 it\u2019s embarrassingly simple,\u201d Dardikman added. \u201cBut it perfectly demonstrates how completely broken this whole setup is. One developer. One line of code. Thousands upon thousands of stolen emails.\u201d<\/p>\n<p>He made a \u201cconservative\u201d guess for the impact to be an unauthorized access to around 3000 to 15000 emails per organization per day, affecting a total of 500 organizations. The emails likely contained a collection of sensitive business data, including password resets, invoices, internal memos, and other private correspondence.<\/p>\n<p>Because the malicious change was minimal and nearly indistinguishable in normal use, it could remain undetected for extended periods.<\/p>\n<h2 class=\"wp-block-heading\"><a><\/a>Risks persist even after package removal<\/h2>\n<p>Koi security researchers did not hear back when they reached out to the developer (attacker) of version 1.0.16 for clarification on the added \u2018Bcc:\u2019. Instead, they noticed the package promptly removed, even before they could report it to npm.<\/p>\n<p>However, deleting the package won\u2019t remove it from the machines it already runs on. While it is unclear how many developers actually downloaded the version, every single one of the \u201caverage 1500 weekly\u201d downloads is compromised\u2013the factor that likely motivated the attacker\u2019s swift withdrawal of the package.<\/p>\n<p>To mitigate damage, Koi recommends immediate removal of postmark-mcp (version 1.0.16), rotation of credentials possibly leaked via email, and thorough audits of all MCPs in use.<\/p>\n<p>\u201cThese MCP servers run with the same privileges as the AI assistants themselves \u2014 full email access, database connections, API permissions \u2014 yet they don\u2019t appear in any asset inventory, skip vendor risk assessments, and bypass every security control from DLP to email gateways,\u201d Dardikman added. \u201cBy the time someone realizes their AI assistant has been quietly Bcc:ing emails to an external server for months, the damage is already catastrophic.\u201d<\/p>\n<p>Security practitioners <a href=\"https:\/\/www.csoonline.com\/article\/4023795\/top-10-mcp-vulnerabilities.html\">have been skeptical<\/a> of MCP ever since Claude\u2019s creator, Anthropic, introduced it. Over time, the protocol has hit several bumps, with vendors like <a href=\"https:\/\/www.csoonline.com\/article\/4016090\/critical-rce-flaw-in-anthropics-mcp-inspector-exposes-developer-machines-to-remote-attacks.html\">Anthropic<\/a> and <a href=\"https:\/\/www.csoonline.com\/article\/4009373\/asanas-mcp-ai-connector-could-have-exposed-corporate-data-csos-warned.html\">Asana<\/a> reporting critical flaws in their MCP implementations.<\/p>\n\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>In a newly disclosed supply-chain attack, an npm package \u201cpostmark-mcp\u201d was weaponized to stealthily exfiltrate emails, marking the first reported in-the-wild abuse of user trust and insufficient guardrails around the much-hyped AI connector protocol, MCP. The malicious package, with 1500 downloads per week on the popular node.js package registry, posed as a version of the [&hellip;]<\/p>\n","protected":false},"author":0,"featured_media":5074,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5073","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5073"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5073"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/5073\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/5074"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5073"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5073"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5073"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}