A backdoored npm package quietly forwarded sensitive emails to an attacker’s server, marking the first known malicious MCP server in the wild.
According to The Hacker News, a malicious Model Context Protocol (MCP) server was discovered embedded within a counterfeit npm package called “postmark-mcp” marking the first confirmed case of a rogue MCP server used in a live attack. The package impersonated a legitimate Postmark Labs library and was published by a developer using the handle "phanpak." The malicious version (1.0.16) was uploaded on September 17, 2025, and covertly forwarded all sent emails to the attacker’s private server.
The rogue package was a near-exact replica of the real Postmark Labs MCP library, with just one added line of code: it blind-copied all outgoing emails to "phan@giftshop[.]club." MCP servers often operate with broad permissions, meaning the exposed data could include password resets, invoices, internal memos, and other sensitive communications. In total, the package had been downloaded 1,643 times before it was removed from npm.
Though technically simple, the backdoor raised concerns about the security of open-source dependencies and the vulnerability of agent-based toolchains to low-effort, high-impact attacks. Developers using the package are advised to remove it immediately, rotate any exposed credentials, and audit email logs for BCC traffic to the malicious address.
Koi Security CTO Idan Dardikman called it a "perfect demonstration" of how a single developer and one line of code could compromise thousands of email communications. Snyk also weighed in, warning that MCP servers are often integrated with high-trust workflows, making them especially dangerous when compromised.
Postmark, the legitimate email platform, issued a statement clarifying that the "postmark-mcp" npm package was not affiliated with them. They stated that their actual API and services remain secure and unaffected.
The discovery of a malicious MCP server hidden inside a legitimate-looking software package exposes just how easily advanced threats can bypass conventional defenses. The Healthcare IT Is Dangerously Overconfident About Email Security report explains that modern attackers now craft tailored campaigns meant to “evade legacy detection filters” and exploit the reality that “email remains healthcare’s largest cybersecurity vulnerability.” Security experts warn that any organization that “still relies on static filters” has become a prime target, especially as these highly adaptive threats continue to slip past tools once trusted to stop them.
An MCP server is typically used to enable agents or tools to interact with services like email APIs in structured workflows. They often operate with high trust and access to sensitive business data.
Before installing, developers should verify packages by checking publisher credentials, GitHub repository links, and whether the package is listed on the official project documentation or website.
BCC’ing emails to an attacker allows silent exfiltration of sensitive data without alerting the sender or recipient. It bypasses traditional monitoring and is difficult to detect after the fact.
MCP servers are gaining popularity in AI-driven and agent-based workflows, but are still a relatively new integration point. Their privileged access makes them a growing target for attackers.
Security measures include enforcing dependency signing, using package allowlists, implementing runtime monitoring for unexpected outbound connections, and reviewing all third-party code for unexpected behavior.