https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-theft
Security researchers have uncovered a disturbing discovery – the first-ever malicious implementation of a Machine Learned Compute (MCP) server. The culprit is the “postmark-mcp” package, which has been silently siphoning emails from hundreds of organisations worldwide since version 1.0.16.
The attack exploited the trust built up over the previous 15 versions of the tool, which had functioned as expected. The malicious actor cloned the legitimate Postmark MCP server code, added a backdoor to copy every email to an external server, and published it under the same name. Koi’s analysis estimates that the attacker was able to intercept between 3,000 to 15,000 emails daily, including sensitive information such as password resets, invoices, and confidential documents.
This incident serves as a wake-up call for enterprises, highlighting the growing risks associated with the expanding use of MCP servers and the blind trust placed in these tools. As security teams focus on traditional threat models, these AI-powered systems are being rapidly adopted without proper vetting or security controls, allowing malicious actors to infiltrate sensitive systems and data. Security professionals must address this emerging attack surface before more organisations fall victim to similar attacks.