A malicious MCP server is silently stealing user emails
Koi Security says it's discovered the first malicious MCP server in the wild, exposing a risk to the entire ecosystem
Security researchers have issued a warning after discovering the first malicious Model Context Protocol (MCP) server in the wild.
MCP servers are widely used to allow AI agents to handle emails and run database queries, which means giving them access to all email traffic, according to Koi Security.
Postmark MCP Server is downloaded 1,500 times per week, and has been integrated into hundreds of developer workflows.
However, since version 1.0.16 was released, Koi said it's been copying every single email - including invoices, internal memos, and confidential documents - to the developer's personal server.
"These MCP servers run with the same privileges as the AI assistants themselves - full email access, database connections, API permissions - yet they don't appear in any asset inventory, skip vendor risk assessments, and bypass every security control from DLP to email gateways," said Koi co-founder Idan Dardikman.
"By the time someone realizes their AI assistant has been quietly BCCing emails to an external server for months, the damage is already catastrophic."
There is a completely legitimate GitHub repo with the same name, officially maintained by Postmark, researchers noted. However, the attacker took the legitimate code from the repo, added his malicious BCC line, and published it to npm under the same name.
"This is the world’s first sighting of a real world malicious MCP server. The attack surface for endpoint supply chain attacks is slowly becoming the enterprise’s biggest attack surface," warned Dardikman.
"We're talking about 3,000 to 15,000 emails every day flowing straight to giftshop.club. And the truly messed up part? The developer didn't hack anything. Didn't exploit a zero-day. Didn't use some sophisticated attack vector,” he added/
“We literally handed him the keys, said 'here, run this code with full permissions', and let our AI assistants use it hundreds of times a day."
Malicious MCP server scrapped, but users still at risk
When Koi contacted the developer, Dardikman said he immediately deleted the package from npm. However, any organizations already using it will continue to be affected.
Users of version 1.0.16 should remove it immediately and rotate any credentials that may have been exposed, the company warned. They should also audit every MCP server they're using, making sure it's an official repository, reviewing the source code, and checking for changes in every update.
Koi said it reported the issue to npm, adding that the discovery raises broader concerns over MCP security.
"The postmark-mcp backdoor isn't just about one malicious developer or 1,500 weekly compromised installations. It's a warning shot about the MCP ecosystem itself," he said.
"We're handing god-mode permissions to tools built by people we don't know, can't verify, and have no reason to trust. These aren't just npm packages - they're direct pipelines into our most sensitive operations, automated by AI assistants that will use them thousands of times without question."
Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.
MORE FROM ITPRO
-
AWS CEO Matt Garman isn’t convinced AI spells the end of the software industryNews Software stocks have taken a beating in recent weeks, but AWS CEO Matt Garman has joined Nvidia's Jensen Huang and Databricks CEO Ali Ghodsi in pouring cold water on the AI-fueled hysteria.
-
Deepfake business risks are growingIn-depth As the risk of being targeted by deepfakes increases, what should businesses be looking out for?
-
Notepad++ hackers remained undetected and pushed malicious updates for six months – here’s who’s responsible, how they did it, and how to check if you’ve been affectedNews Hackers remained undetected for months and distributed malicious updates to Notepad++ users after breaching the text editor software – here's how to check if you've been affected.
-
CISA’s interim chief uploaded sensitive documents to a public version of ChatGPT – security experts explain why you should never do thatNews The incident at CISA raises yet more concerns about the rise of ‘shadow AI’ and data protection risks
-
Former Google engineer convicted of economic espionage after stealing thousands of secret AI, supercomputing documentsNews Linwei Ding told Chinese investors he could build a world-class supercomputer
-
90% of companies are woefully unprepared for quantum security threats – analysts say they need to get a move onNews Quantum security threats are coming, but a Bain & Company survey shows systems aren't yet in place to prevent widespread chaos
-
LastPass issues alert as customers targeted in new phishing campaignNews LastPass has urged customers to be on the alert for phishing emails amidst an ongoing scam campaign that encourages users to backup vaults.
-
NCSC names and shames pro-Russia hacktivist group amid escalating DDoS attacks on UK public servicesNews Russia-linked hacktivists are increasingly trying to cause chaos for UK organizations
-
An AWS CodeBuild vulnerability could’ve caused supply chain chaos – luckily a fix was applied before disaster struckNews A single misconfiguration could have allowed attackers to inject malicious code to launch a platform-wide compromise
-
There’s a dangerous new ransomware variant on the block – and cyber experts warn it’s flying under the radarNews The new DeadLock ransomware family is taking off in the wild, researchers warn
