Cybersecurity researchers have discovered what is described as the first instance of a model context protocol (MCP) server discovered in the wild, increasing the risk of the software supply chain.
According to KOI Security, legally-looking developers were able to slip in malformed code within an NPM package called “Postmark-MCP”, which copied the official Postmark Labs library of the same name. The malicious feature was introduced in version 1.0.16, released on September 17, 2025.
The actual “Mark-MCP” library available on GitHub allows users to expose MCP servers to send emails, access and use email templates, and track campaigns using Artificial Intelligence (AI) Assistant.
The NPM package in question was removed from NPM by developer “Phanpak” and uploaded to the repository on September 15th, 2025, maintaining 31 other packages. The JavaScript library has collected a total of 1,643 downloads.
“Since version 1.0.16, we’ve quietly copied all emails to developers’ personal servers,” said Idan Dardikman, Chief Technology Officer of KOI Security. “This is the world’s first sighting of a real-world malicious MCP server. The attack surface of endpoint supply chain attacks is gradually becoming the biggest attack surface for the enterprise.”
The malicious package is a replica of the original library and saves one line change added to version 1.0.16.[.]bcc’ing it by club “Discover potentially sensitive communications.
“The postmark MCP backdoor is not refined. It’s embarrassingly simple,” Dardikman said. “But it perfectly shows just how completely broken this whole setup is. One developer. One line of code. With thousands of stolen emails.”
Developers who have installed the NPM package are recommended to remove it from the workflow immediately, rotate any credentials that may have been published in email, and check the email logs of BCC traffic to the reported domain.
“MCP servers typically run with high trust and wide range of privileges within the agent toolchain. That’s why they are sensitive to the data they process (password resets, invoices, customer communications, internal memos, etc.), Snyk said. “In this case, the backdoor of this MCP server was built with the intention of harvesting and removing emails from agent workflows that rely on this MCP server.”
The findings show how threat actors continue to exploit user trust associated with the open source ecosystem and the early MCP ecosystem, especially when deployed in a critical business environment without proper guardrails.
Source link
