Category: Cybersecurity

Discovery of Malicious MCP Server

A malicious Model-Context-Prompt (MCP) server has been identified in the wild through a compromised npm package known as postmark-mcp. The package has been exfiltrating sensitive email data.

The postmark-mcp package, downloaded approximately 1,500 times weekly, included a backdoor that replicated each processed email to an attacker-controlled server, representing a new threat vector in AI software supply chains.

Technical Details

Security analysis by Koi revealed that the postmark-mcp was initially designed to function as an MCP server integrated with Postmark, facilitating automated email tasks for AI assistants.

For its first 15 versions, the package operated as intended, gaining trust. However, version 1.0.16 introduced a malicious line of code, adding a Bcc field to send email copies to a specific address.

Compromised data included password resets, invoices, and confidential communications. The attacker impersonated a legitimate developer by copying code from an authentic GitHub repository and adding a backdoor.

Security Implications

The attack, detected by Koi’s risk engine for its simplicity, exploited trust in the open-source ecosystem rather than using zero-day vulnerabilities.

MCP servers, with high-level permissions, allow AI tools to perform tasks autonomously, posing security risks as they bypass traditional security measures like DLP systems and email gateways.

The breach potentially affected up to 15,000 emails daily from around 300 organizations.

Response and Mitigation

After notification, the developer removed the package from npm, but systems with version 1.0.16 or later remain at risk. Users must uninstall postmark-mcp and secure any exposed credentials.

Indicators of Compromise (IOCs) and Mitigation Steps

• Package: postmark-mcp (npm)
• Malicious Version: 1.0.16 and later
• Backdoor Email: phan@giftshop[.]club
• Domain: giftshop[.]club

Users should uninstall the package and change any sensitive information potentially exposed via email. This incident underscores the necessity for stringent verification and monitoring of AI tools in organizational ecosystems.