Tag: malicious package
-
First-Ever MCP Supply Chain Attack: Malicious Package Steals Emails by Adding Hidden BCC
Developers have long placed their trust in tools that allow AI assistants to handle routine tasks—ranging from sending emails to managing databases. Yet that trust has proven a vulnerability: beginning with version 1.0.16, the package postmark-mcp—downloaded more than 1,500 times each week—quietly forwarded copies of every email to an external server controlled by its author.…
-
PyPI Package Exposed: Fortinet Warns of Discord Data Theft
Cybersecurity experts from Fortinet have identified a new malicious package in the PyPI registry for developers, aimed at stealing user data from Discord. The package, named “discordpy_bypass-1.7,” was published on March 10, 2024, and detected two days later. Developed by a user known as “Theaos,” the package comprises seven versions with similar characteristics. Its primary…