A npm bundle copying the official ‘postmark-mcp’ mission on GitHub turned dangerous with the newest replace that added a single line of code to exfiltrate all its customers’ e mail communication.
Revealed by a legitimate-looking developer, the malicious bundle was an ideal reproduction of the genuine one by way of code and outline, showing as an official port on npm for 15 iterations.
Mannequin Context Protocol (MCP) is an open customary that permits AI assistants to interface with exterior instruments, APIs, and databases in a structured, predefined, and safe method.
Postmark is an e mail supply platform, and Postmark MCP is the MCP server that exposes Postmark’s performance to AI assistants, letting them ship emails on behalf of the person or app.
As found by Koi Safety researchers, the malicious bundle on npm was clear in all variations through1.0.15, however within the 1.0.16 launch, it added a line that forwarded all person emails to an exterior tackle at giftshop[.]membership linked to the identical developer.
Supply: Koi Safety
This extraordinarily dangerous performance might have uncovered private delicate communications, password reset requests, two-factor authentication codes, monetary info, and even buyer particulars.
The malicious model on npm was obtainable for per week and recorded round 1,500 downloads. By Koi Safety’s estimations, the faux bundle might need exfiltrated hundreds of emails from unsuspecting customers.
For individuals who downloaded postmark-mcp from npm, it is strongly recommended to take away it instantly and rotate any doubtlessly uncovered credentials. Additionally, audit all MCP servers in use and monitor them for suspicious exercise.
BleepingComputer has contacted the npm bundle writer to ask about Koi Safety’s findings, however we acquired no reply. The next day, the developer eliminated the malicious bundle from npm.
Supply: Koi Safety
Koi Safety’s report highlights a damaged safety mannequin the place servers are applied in important environments with out oversight or sandboxing, and AI assistants executing malicious instructions with out filtering for malicious conduct.
As a result of MCPs run with very excessive privileges, any vulnerability or misconfiguration carries a big danger.
Customers ought to confirm the supply of the mission and ensure it is an official repository, overview the supply code and changelogs, and look fastidiously for modifications in each replace.
Earlier than utilizing a brand new model in manufacturing, run MCP servers in remoted containers or sandboxes and monitor their conduct for suspicious actions like knowledge exfiltration or unauthorized communication.
46% of environments had passwords cracked, practically doubling from 25% final 12 months.
Get the Picus Blue Report 2025 now for a complete take a look at extra findings on prevention, detection, and knowledge exfiltration tendencies.
