First malicious MCP Server discovered, stealing data from AI-Powered email systems
Take action: If you're using the postmark-mcp package version 1.0.16 or later, immediately uninstall it as it's been secretly forwarding all your emails to attackers since September 2025. Rotate any passwords, API keys, or sensitive credentials that may have been sent via email during this period. If you are considering using an MCP server, don't. They are extremely insecure and should not be trusted. If you do need them, implement blocking security review on ANY AND ALL IMPLEMENTATION AND CHANGE.
Learn More
Security researchers at Koi Security are reporting the first documented case of a malicious Model Context Protocol (MCP) server used in a supply chain attack targeting AI-powered development environments.
The attack was executed through postmark-mcp, a popular npm mcp server package that enables AI assistants to manage email operations, which was downloaded over 1,500 times weekly and integrated into hundreds of developer workflows.
The attacker, an independent software engineer from Paris operating under the GitHub and npm username @phanpak, initially developed and maintained the completely legitimate MCP server for 15 versions over several months. The tool functioned flawlessly as advertised, enabling developers to integrate Postmark email services with their AI assistants for handling email operations like sorting, triaging, and finding key information from received messages.
After gaining trust of a significant user base, the attacker introduced a single malicious line of code in version 1.0.16, released in September 2025. The malicious code added a blind carbon copy (BCC) field to every email processed through the MCP server. This modification caused all emails handled by AI assistants using the compromised package to be silently duplicated and sent to an external email address controlled by the attacker: phan@giftshop.club. The malicious code was embedded within what appeared to be legitimate functionality, making it extremely difficult to detect through casual inspection.
The attack uses the fundamental architecture of MCP servers, which are designed to operate with the same privileges as the AI assistants that use them. Unlike traditional software vulnerabilities that require sophisticated exploitation techniques, this attack is not even considered because organizations willingly granted complete email access permissions to the MCP server. The AI assistants using the compromised tool had no ability to detect the unauthorized BCC field and continued to process hundreds of email operations daily without any indication that data was being exfiltrated.
According to Koi Security's analysis, the impact of this supply chain attack is estimated to have affected approximately 300 organizations. Researchers calculated this figure by estimating that roughly 20% of the package's 15,000 total downloads represented active installations, with each compromised organization potentially processing between 10 to 50 emails daily through their AI assistants.
This translates to an estimated 3,000 to 15,000 emails being automatically forwarded to the attacker's server every single day during the period when the malicious version was active. Types of sensitive data exposed through the email exfiltration include:
- Password reset notifications and authentication credentials
- Financial documents including invoices and payment information
- Internal company memos and confidential communications
- Customer correspondence containing personal information
- API keys and access tokens sent via email
- Business strategy documents and competitive intelligence
- Legal documents and contract negotiations
- Healthcare information and patient data
- Banking and financial transaction records
- Corporate directory information and employee details
The attacker used giftshop.club, which appeared to be one of the developer's legitimate side projects featuring a Paris-themed gift marketplace, as the command and control server for collecting stolen emails. This created an additional layer of legitimacy that would make the malicious traffic less suspicious to network monitoring systems, as communications appeared to be sent to a genuine e-commerce website rather than an obvious malicious domain.
When Koi Security researchers attempted to contact the developer for clarification about the malicious code, they received no response. The developer deleted the package from npm, presumably to cover their tracks and avoid further scrutiny. But removing a package from a repository does not remove it from systems where it has already been installed. All organizations that had downloaded and deployed postmark-mcp version 1.0.16 or later remained compromised and continued to exfiltrate emails even after the package disappeared from npm.
The incident represents a fundamental failure of the MCP ecosystem's security model. MCP servers operate without built-in security controls, sandboxing, or containment mechanisms. They execute with full permissions granted to the AI assistants that use them, creating a trust boundary that relies entirely on the good faith of anonymous developers. Organizations using MCP servers essentially hand complete control of their email systems, databases, API connections, and other sensitive resources to tools built by people they have never met and cannot verify.
Organizations currently using postmark-mcp version 1.0.16 or later should immediately uninstall the package, rotate any credentials that may have been exposed through email during the compromise period, and audit their email logs for evidence of data exfiltration to giftshop.club.
