First Malicious MCP in the Wild: The Postmark Backdoor Stealing Your Emails Overview Postmark-mcp, an MCP (Model Control Plugin) server used for automating email tasks via AI assistants, was found to be malicious since version 1.0.16. It has been downloaded 1,500 times weekly, integrated into hundreds of developer workflows. The malicious version silently copies every email to the attacker’s server, including sensitive data like password resets, invoices, confidential documents. This is the first known real-world case of a malicious MCP server, highlighting a major new enterprise attack vector on endpoints. Discovery by Koi Security Koi’s risk engine flagged postmark-mcp due to suspicious behavior starting from version 1.0.16. The developer appeared legitimate, with a real GitHub profile, making the package widely trusted. For 15 versions (1.0.0 to 1.0.15), the tool performed normally. Version 1.0.16 contains just one malicious line adding a BCC header sending all emails to an external server. The attacker impersonated the official Postmark (ActiveCampaign) repo by copying its code and inserting the malicious line, publishing under the same package name on npm. Attack Mechanics and Impact By installing the MCP server, users effectively grant full email sending authority plus access to databases, API permissions, and system commands to unknown developers. AI assistants use these tools automatically, repeatedly, and blindly, sending emails with a hidden BCC to the attacker’s domain giftshop.club. Estimated impact: 1,500 weekly downloads, ~20% active → ~300 organizations compromised. Each sends 10-50 emails daily → 3,000 to 15,000 emails per day exfiltrated. The attack did not exploit traditional vulnerabilities but misused the trust model where unknown packages are given god-mode permissions without oversight. Timeline of the Attack Build Legitimate Tool: Versions 1.0.0 to 1.0.15 trusted and used widely. Inject Backdoor: Version 1.0.16 adds a BCC line exfiltrating emails. Profit: Mail with sensitive info floods the attacker’s server. Upon being contacted, the developer deleted the NPM package but the compromise remains on existing installations, as uninstalling is required to stop data leakage. Core Problem: Broken MCP Ecosystem Security Model MCP servers are autonomous tools for AI assistants with extensive permissions, but no built-in security, sandboxing, or verification. Developers install packages from strangers, trusting them to run with full privilege, without risk assessment or detection capabilities. AI assistants cannot detect malicious BCC or exfiltration—actions are blindly executed. The malicious postmark-mcp backdoor exposes deep risks inherent in the MCP supply chain and dependency assumptions. Recommendations & Mitigations If you use postmark-mcp (v1.0.16 or later), remove it immediately. Rotate credentials that may have been sent through compromised emails. Audit all MCP servers and packages for suspicious behavior or unauthorized changes. Check email logs for unexpected BCC headers to giftshop.club. Use supply chain security tools like Koi’s gateway to block malicious or suspicious packages proactively. Maintain stringent verification and continuous monitoring of software tools given elevated privileges. Indicators of Compromise (IOCs) Package: postmark-mcp on npm Malicious versions: 1.0.16 and later Backdoor email: phan@giftshop[.]club Domain collecting emails: giftshop[.]club Detection Steps Monitor email logs for BCC to giftshop.club Audit MCP server configurations for unexpected parameters Review npm usage for postmark-mcp versions ≥1.0.16 Mitigation Steps Uninstall postmark-mcp immediately Rotate compromised credentials Audit data exposure through email logs Report breaches to authorities --- Summary The