Supply-Chain Risk in AI Agent Tooling: Malicious MCP Server on npm

TL/DR:
On September 2025, security researchers discovered the first malicious Model Context Protocol (MCP) server in the wild. A fake npm package called postmark‑mcp—marketed as an official Postmark integration—inserted a one‑line backdoor starting in version 1.0.16 that quietly blind‑copies every email sent by an AI agent to the attacker’s domain (giftshop[.]club) [1]. Because MCP servers run with high trust and access to sensitive data, this supply‑chain compromise exposes passwords, reset links and other secrets [1]. If you have ever installed postmark‑mcp, uninstall it immediately, block the exfiltration domain, and rotate any credentials that may have been exposed [4]. Going forward, treat all MCP servers as high‑risk and implement strict egress controls, code signing, and provenance checks.

What happened

• In mid‑September 2025 a malicious actor published an npm package called postmark‑mcp, a supposed Model Context Protocol (MCP) server that lets AI assistants send mail through Postmark. The malicious package copied code from the legitimate Postmark MCP server but introduced a single hidden line in version 1.0.16 that adds a blind‑copy (Bcc) header pointing to phan@giftshop[.]club [4]. Every email sent through this MCP server—including password resets, invoices and internal memos—was silently forwarded to the attacker [3].
• According to Koi Security, the package was downloaded roughly 1,500 times per week and integrated into hundreds of developer workflows before it was taken down [2]. Versions 1.0.0 through 1.0.15 worked perfectly; the malicious Bcc appeared only in 1.0.16 and later [2]. The package has since been removed from npm and the GitHub repository taken offline.
• Postmark clarified that they did not develop or authorize the postmark‑mcp package and that the legitimate Postmark API and services were never compromised [5].

Why this matters

MCP servers are the “plumbing” that connects large‑language‑model agents to real‑world systems. They run with high privileges—able to send email, access databases and perform transactions on behalf of the agent—and sit outside normal security controls. Snyk warned that any data handled by an MCP server can include passwords, customer PII and internal communications [1]. The postmark‑mcp incident is the first publicly known malicious MCP server and demonstrates how a single rogue dependency can exfiltrate sensitive information at scale [3].

Impact & exposure

• Who’s affected: Any organisation that installed or used postmark‑mcp version 1.0.16 or later. Given the package’s popularity, hundreds of AI agent workflows may have been compromised [2].
• Data at risk: Full email contents and attachments—including password reset links, invoices, API keys and customer communications—were forwarded to the attacker [1].
• Blast radius: Agent‑driven automation may have sent large volumes of emails with no human oversight, compounding the exposure. Even though the package has been removed from npm, installed copies will continue exfiltrating data until they are manually uninstalled [1].

Immediate response checklist

1. Inventory & kill switch: Search your code and infrastructure for postmark‑mcp. If present, uninstall it and stop any agent workflows that depend on it [4].
2. Block the exfiltration domain: Add giftshop[.]club to your egress block list [4].
3. Rotate credentials: Replace Postmark API keys and any secrets that may have been exposed (SMTP credentials, tokens, passwords) [4].
4. Audit email logs: Review mail logs for unexpected Bcc traffic to phan@giftshop[.]club or the giftshop[.]club domain [3].
5. Forensics: Preserve snapshots of affected hosts and agent logs before making changes.

Hardening MCP and agent toolchains

• Egress allow‑lists: Restrict outbound connections from MCP servers to only approved domains (e.g. official Postmark endpoints). Block all other outbound network traffic.
• Signed & pinned MCP servers: Require cryptographic signing or hash‑pinning of MCP server binaries. Verify signatures at build and runtime.
• Verify your dependencies: Install MCP servers only from verified upstreams. Cross‑check npm packages with their official GitHub repositories and maintainers.
• Least privilege: Scope API keys and secrets to the minimal required permission (send only). Store them in a managed secrets vault and rotate frequently.
• Runtime policy: Log and alert on new email headers (like Bcc) or outbound requests to unknown domains. Consider scanning new package versions for unexpected changes.
• Vendor assessment: Treat MCP servers and other agent tools as vendors; subject them to security questionnaires, code reviews and periodic penetration tests.

MITRE ATT&CK lens (probable)

This incident fits several supply‑chain and exfiltration techniques:

• T1190/T1195 – Supply Chain Compromise: Trojanised dependency inserted into the software supply chain.
• T1041 – Exfiltration Over C2 Channel: Emails were exfiltrated via a blind‑copy to an attacker‑controlled domain.
• T1078 – Valid Accounts / T1552 – Unsecured Credentials: Stolen API keys or credentials contained within exfiltrated emails could enable further compromise [1].

Detection ideas

• Static rule: Flag any MCP servers that automatically add Bcc headers to external domains.
• Network rule: Alert on MCP processes connecting to domains outside an approved allow‑list.
• Package hygiene: During CI, diff new MCP versions; fail builds if new network destinations or mail headers appear.
• trail: Log all messages sent via MCP servers with header diffs and receiving domain counters.

References

[1] Snyk – “Malicious MCP Server on npm postmark‑mcp Harvests Emails” (https://snyk.io/blog/malicious-mcp-server-on-npm-postmark-mcp-harvests-emails/)
[2] Koi Security – “First Malicious MCP in the Wild: The Postmark Backdoor That’s Stealing Your Emails” (https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-theft)
[3] The Hacker News – “First Malicious MCP Server Found Stealing Emails in Rogue Postmark‑MCP Package” (https://thehackernews.com/2025/09/first-malicious-mcp-server-found.html)
[4] Qualys ThreatProtect – “Malicious MCP Server on npm postmark-mcp Exploited in Attack” (https://threatprotect.qualys.com/2025/09/30/malicious-mcp-server-on-npm-postmark-mcp-exploited-in-attack/)
[5] Postmark – “Security Alert: Malicious ‘postmark‑mcp’ npm Package Impersonating Postmark” (https://postmarkapp.com/blog/information-regarding-malicious-postmark-mcp-package)