Cybersecurity researchers have identified what is believed to be the first-ever malicious Model Context Protocol (MCP) server in the wild, highlighting growing risks in software supply chains. The discovery involves an npm package named “postmark-mcp”, which impersonated a legitimate Postmark Labs library, allowing a rogue developer to secretly capture sensitive emails.
According to Koi Security, the malicious functionality was introduced in version 1.0.16, released on September 17, 2025. The package was uploaded by a developer using the alias “phanpak” on September 15, 2025, and has since been removed from npm. It had amassed 1,643 downloads before removal.
“Since version 1.0.16, it’s been quietly copying every email to the developer’s personal server,” said Idan Dardikman, CTO of Koi Security. “This is the world’s first sighting of a real-world malicious MCP server. The attack surface for endpoint supply chain attacks is slowly becoming the enterprise’s biggest attack surface.”
The legitimate postmark-mcp library exposes an MCP server to enable email sending, template management, and AI-assisted campaign tracking. The rogue package, however, included a one-line change that BCC’d every email sent through the MCP server to phan@giftshop[.]club, potentially exposing confidential communications.
“The postmark-mcp backdoor isn’t sophisticated – it’s embarrassingly simple,” Dardikman added. “But it perfectly demonstrates how completely broken this whole setup is. One developer. One line of code. Thousands upon thousands of stolen emails.”
Security experts warn that MCP servers typically operate with high trust and broad permissions within agentic workflows, meaning that any sensitive data—including invoices, password resets, customer communications, and internal memos—could be compromised. “In this case, the backdoor in this MCP Server was built with the intention to harvest and exfiltrate emails for agentic workflows that relied on this MCP Server,” said Snyk.
Developers who installed the package are advised to remove it immediately, rotate any potentially exposed credentials, and review email logs for suspicious BCC traffic. The incident underscores ongoing threats in the open-source ecosystem and the emerging MCP environment, especially when critical business applications rely on these tools without sufficient security guardrails.
“This attack highlights the dangers of implicit trust in open-source libraries and the need for rigorous monitoring and validation in supply chain workflows,” experts emphasized, noting that even a single line of malicious code can result in massive data exposure.
 server in the wild....){kind=link}