An NPM package copying the official ‘Postmark-MCP’ project on GITHUB deteriorated with the latest update, which added a line of code to exfiltrate the email communication of all its users.
Published by a valid -looking developer, was an ideal replica of authentic one in terms of malicious package code and details, appearing as an official port on NPM for 15 recurrences.
Model Reference Protocol (MCP) is an open standard that allows AI assistants to interface with external equipment, APIs and databases in a composed, predetermined and safe manner.
The postmark is an email delivery platform, and the postmark MCP is the MCP server that highlights the functionality of the AI assistants, which sends them emails from the user or app.
As Koi security discovered Researchers, malicious packages on NPM were cleaned through 1.0.15 in all versions, but in 1.0.16 release, it added a line, which sent all the user emails to an external address attached to an uniform developer in the giftshop (.) Club.
Source: No Security
This highly risky functionality may have highlighted individual sensitive communication, password reset requests, two-factor authentication code, financial information and even customer details.
The malicious version on NPM was available for a week and around 1,500 downloads were recorded. From the estimates of any security, thousands of emails in fake packages can be exfiltrated from users who ignore.
For those who downloaded Postmark-MCP From NPM, it is recommended to remove it immediately and to rotate any possible exposed credentials. Also, audit all MCP servers in use and monitor them for suspicious activity.
Bleepingcomputer has contacted the NPM package publisher to ask about the findings of KOI security, but we did not get any reply. The next day, the developer removed the malicious package from the NPM.
Source: No Security
A security report highlights a broken security model, where the server is applied in an important environment without an oversite or sandboxing, and AI assistants are carried out for a malicious command without filtering for malicious behavior.
Because MCPs move with very high privilements, there is a significant risk in any vulnerability or misunderstanding.
Users must verify the source of the project and ensure that it is an official repository, review the source code and Changelog, and look carefully for every update change.
Before using a new version in production, run the MCP server in isolated containers or sandbox and monitor their behavior for suspicious functions such as data exfoliation or unauthorized communication.
The passwords broke in 46% of the atmosphere, almost doubled by 25% last year.
Picus Blue Report 2025 Now get a wider look at more conclusions on prevention, detection and data exfIs.
