- Security researchers detected the first known malicious Model Context Protocol (MCP) server in the wild on September 17, 2025.
- A fake npm package named postmark-mcp imitating a legitimate library was found to steal emails by copying them to an external server.
- The compromised package was uploaded by developer phanpak, was downloaded over 1,600 times, and later removed from the npm repository.
- The attack added a BCC line forwarding emails to “phan@giftshop[.]club,” exposing sensitive communications.
- Developers using this package are advised to remove it, change exposed credentials, and check for unauthorized email forwarding.
On September 17, 2025, Cybersecurity researchers uncovered the first real-world case of a malicious Model Context Protocol (MCP) server embedded in an npm package called postmark-mcp. The package, uploaded by developer phanpak, copied emails sent through the MCP service to a personal server without user consent, creating significant supply chain risks.
The MCP server is intended to help users send emails, manage templates, and track campaigns using AI assistants. The legitimate library is available on GitHub and can be accessed through Postmark Labs. However, version 1.0.16 of the npm clone, released on September 17, 2025, included a malicious change that silently forwarded all emails to “phan@giftshop[.]club” by adding a blind carbon copy (BCC).
Phanpak uploaded the fake package on September 15, 2025, and it attracted around 1,643 downloads before being removed from the npm repository. Koi Security CTO Idan Dardikman stated, “Since version 1.0.16, it’s been quietly copying every email to the developer’s personal server.” He emphasized the simplicity of the backdoor and the broad impact it could have by stealing thousands of emails.
MCP servers operate with high trust and permissions inside development toolchains, handling sensitive data like password resets and customer communications. Security company Snyk noted that the backdoor was designed specifically to harvest emails from agentic workflows relying on the MCP server. They highlighted the risks involved due to the elevated privileges and data sensitivity managed by MCP servers.
Developers who installed the compromised package are advised to remove postmark-mcp from their projects immediately. They should rotate any credentials that might have been exposed and review email logs for any unauthorized BCC to the reported domain. This incident illustrates ongoing threats from malicious actors exploiting trust within open-source and emerging ecosystems.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
Previous Articles:
- Yearn Finance Proposes Overhaul to Reward YFI Token Holders
- Fed’s Waller: Stablecoins Should Coexist With Cash, Urges Regulation
- SWIFT Picks Linea Blockchain Over XRP Ledger for Payments Pilot
- AllUnity, Privy Partner to Embed EURAU Euro Stablecoin Wallets
- Microsoft Warns of AI-Driven Phishing Using Obfuscated SVG Files
