What Happened
A widely used npm package impersonating Postmark's MCP email server behaved normally for its first fifteen releases, then in version 1.0.16 added a one-line backdoor that secretly BCC'd every outgoing email to an attacker-controlled address. Because AI assistants send mail through the MCP server, the change quietly copied all correspondence out. It is regarded as the first tracked case of a malicious MCP server used in a real supply-chain attack.
Impact
Copies of password resets, invoices, customer PII, and internal correspondence flowed to the attacker until the package was pulled on September 25, 2025. Any organization that installed it since mid-September had to assume exposure and rotate every credential ever sent through it.
How to Prevent This
- Vet and pin MCP server dependencies to trusted publishers and audited versions
- Review diffs on every MCP/package update rather than auto-upgrading to new releases
- Egress-monitor MCP servers for unexpected recipients such as hidden BCC destinations
- Prefer official first-party MCP connectors and verify package provenance/signatures
- Rotate credentials and audit mail logs after any suspected malicious dependency