Developers have long placed their trust in tools that allow AI assistants to handle routine tasks—ranging from sending emails to managing databases. Yet that trust has proven a vulnerability: beginning with version 1.0.16, the package postmark-mcp—downloaded more than 1,500 times each week—quietly forwarded copies of every email to an external server controlled by its author. At risk were companies’ internal correspondence, invoices, passwords, and sensitive documents.
This incident was the first to demonstrate that MCP servers can function as a fully-fledged supply chain attack vector. Researchers at Koi Security detected the issue when their monitoring system flagged a sudden change in the package’s behavior. Upon inspection, they found that the developer had inserted a single line of code that automatically added a hidden BCC address, redirecting all outgoing emails to giftshop.club. Until then, fifteen earlier releases had operated flawlessly, and the tool had already become embedded in the workflows of hundreds of organizations.
The danger was amplified by the apparent credibility of the author: a transparent GitHub profile, verifiable personal information, and an active history of open-source projects. For months, users had no reason to question the tool’s safety. But one update transformed a trusted utility into a covert exfiltration mechanism. A classic impersonation tactic was at play: npm hosted a clone of the legitimate Postmark repository, altered only by the addition of the forwarding line.
Estimating the full extent of the damage is difficult, but preliminary calculations suggest that hundreds of organizations may have inadvertently sent thousands of emails per day to the rogue server. No exploits or sophisticated techniques were required—the administrators themselves had already granted AI assistants unrestricted access, allowing the malicious server to operate unhindered.
MCP tools effectively possess “god-mode” privileges: they can send emails, access databases, execute commands, and issue API calls. Yet they undergo neither security audits nor supplier verification, and remain absent from asset inventories. In corporate defense strategies, such modules are practically invisible.
The attack model was deceptively simple: first, build a genuinely useful product; next, introduce a minimal theft mechanism in a later update; finally, conduct silent data collection. When researchers attempted to contact the developer, he offered no response and soon deleted the package from npm. But deletion does not resolve the threat—previously installed versions continue to function and forward mail. This means that many organizations remain compromised without realizing it.
The episode exposes a fundamental flaw in the MCP architecture. Unlike ordinary packages, these are designed specifically for autonomous AI use. Machines cannot recognize malicious intent: to them, sending emails with an additional recipient looks like a task completed successfully. Thus, a simple backdoor can persist undetected until someone happens upon it.
Koi Security recommends removing postmark-mcp v1.0.16 and above, rotating all credentials that may have been exposed via email, and reviewing logs for signs of forwarding to giftshop.club. More broadly, they urge organizations to reassess their reliance on MCP servers altogether: without independent verification, such tools risk becoming a primary vector for enterprise compromise.
Indicators of compromise include:
- Package: postmark-mcp v1.0.16 and later
- Email: phan@giftshop[.]club
- Domain: giftshop[.]club
Verification can be performed by analyzing email headers for hidden BCC entries, auditing MCP configurations, and reviewing npm installations.
