A malicious Model Context Protocol (MCP) server has been discovered exfiltrating thousands of emails daily through AI assistant integrations, marking the first documented case of a supply chain attack targeting the emerging MCP ecosystem.
The compromised package, postmark-mcp, has been downloaded approximately 1,500 times weekly and has been quietly stealing sensitive email communications since version 1.0.16.
Security researchers at Koi discovered the backdoor after their risk engine flagged suspicious behavioral changes in the popular email integration tool.
The malicious code, consisting of a single line buried at line 231, automatically adds a blind carbon copy (BCC) to “giftshop.club” for every email processed through the MCP server.
Sophisticated Supply Chain Deception
The attack demonstrates a concerning evolution in supply chain compromises. For 15 versions, postmark-mcp functioned legitimately, building trust within developer communities.
The malicious developer, identified as a software engineer from Paris with an established GitHub presence, impersonated the official Postmark integration by copying legitimate code from ActiveCampaign’s repository and publishing it under the same name on npm.
The backdoor’s implementation is deceptively simple yet devastatingly effective. The malicious line automatically appends the external email address to all outgoing communications, allowing the attacker to intercept password resets, invoices, internal memos, and confidential documents without detection.
AI assistants, operating autonomously with these MCP servers, cannot identify the unauthorized BCC field and continue executing email operations normally.
Conservative estimates suggest that the compromise affects approximately 300 organizations actively using the tool, potentially exposing 3,000 to 15,000 emails per day to unauthorized access.
The exfiltrated data likely includes API keys, financial information, customer communications, and other sensitive business intelligence.
Critical Infrastructure Vulnerability
The incident highlights fundamental security gaps in the MCP ecosystem, where AI assistants operate with god-mode permissions across email systems, databases, and API endpoints.
Unlike traditional npm packages, MCP servers are designed for autonomous AI execution, creating blind trust relationships that bypass conventional security controls.
The compromised package operated outside standard enterprise security perimeters, avoiding asset inventories, vendor risk assessments, and data loss prevention systems.
Organizations using AI assistants with MCP integrations may be unknowingly exposing critical infrastructure to similar threats.
After being contacted by researchers, the developer deleted the package from npm without explanation, although already-installed instances remain active and continue to exfiltrate data. The attack server, giftshop.club appears to be another project controlled by the same developer.
Organizations using Postmark-MCP version 1.0.16 or later should immediately remove the package and rotate potentially exposed credentials. Security teams are advised to audit all MCP server implementations and establish verification processes for AI assistant integrations before deployment.
IOCs
Package: postmark-mcp (npm)
Malicious Version: 1.0.16 and later
Backdoor Email: phan@giftshop[.]club
Domain: giftshop[.]club
Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates
