First Malicious MCP in the Wild: The Postmark Backdoor Stealing Your Emails (www.koi.security)

Koi security researchers discovered the first real-world malicious MCP (model-connected plugin) in the wild: the npm package postmark-mcp. Starting with version 1.0.16 the package — downloaded ~1,500 times per week and widely integrated into developer workflows — silently BCC’d every outgoing email to phan@giftshop[.]club (giftshop[.]club). The attacker copied the legitimate Postmark repo, published an impersonating package under the same name, and added a single-line backdoor that turned a trusted utility into an email-exfiltration pipeline. The package was later removed from npm, but installed copies remain active on victim systems. This incident is a warning about MCP supply-chain risk: these plugins run with “god-mode” permissions (send-as, DB access, API calls) and are used autonomously by AI assistants, so a tiny malicious change can leak passwords, invoices, API keys, and sensitive internal messages at scale (Koi estimates thousands of emails/day). Koi’s behavioral risk engine flagged the BCC change — something traditional tooling would likely miss. Immediate actions: audit for postmark-mcp v1.0.16+, check email logs for BCCs to giftshop[.]club, uninstall the package, rotate exposed credentials, and deploy supply-chain controls (package approval, continuous monitoring, and blocking of tools that touch sensitive operations).