SecurityCritical

Rogue 'postmark-mcp' npm Package Becomes First Malicious MCP Server Caught Stealing Email

npm ecosystem (malicious 'postmark-mcp' package)

What Happened

A widely used npm package impersonating Postmark's MCP email server behaved normally for its first fifteen releases, then in version 1.0.16 added a one-line backdoor that secretly BCC'd every outgoing email to an attacker-controlled address. Because AI assistants send mail through the MCP server, the change quietly copied all correspondence out. It is regarded as the first tracked case of a malicious MCP server used in a real supply-chain attack.

Impact

Copies of password resets, invoices, customer PII, and internal correspondence flowed to the attacker until the package was pulled on September 25, 2025. Any organization that installed it since mid-September had to assume exposure and rotate every credential ever sent through it.

How to Prevent This

  • Vet and pin MCP server dependencies to trusted publishers and audited versions
  • Review diffs on every MCP/package update rather than auto-upgrading to new releases
  • Egress-monitor MCP servers for unexpected recipients such as hidden BCC destinations
  • Prefer official first-party MCP connectors and verify package provenance/signatures
  • Rotate credentials and audit mail logs after any suspected malicious dependency

Don't Let Your Company Be the Next Case Study

Take our 2-minute quiz to identify your AI risks before they become failures.

Assess Your AI Risks Now →

Most teams can't — find out in 2 minutes

Real AI failures analyzed • Free 2-minute assessment