A popular Model Context Protocol (MCP) server used to deploy AI agents has turned malicious in one of its latest updates, according to Koi Security.
This engine, called Postmark MCP Server, has reached over 1500 weekly downloads on npm, a package manager for the JavaScript programming language, and has been integrated into hundreds of developer workflows.
MCP is an open standard which was introduced in November 2024 by Anthropic, the maker of several generative AI models and the AI chatbot Claude.
The MCP servers are used to manage and leverage contextual information within a model’s operation. One of the most popular use cases for MCP servers sees AI agents handle emails (e.g. sort and triage emails, find key information from received emails).
To do that, a software developer needs to install an MCP server and grant it access to their emails.
According to a Koi Security report, Postmark MCP Server was created by an independent software engineer from Paris, known on GitHub and NPM as @phanpak.
The npm package created by @phanpak worked as an MCP implementation for Postmark email services.
However, the Koi Security report, published on September 25, claimed that while this server was doing what it claimed to be doing – and only that – for the first fifteen versions, suspicious behavior changes were introduced when the developer released version 1.0.16.
Since this version, Postmark MCP Server been “quietly copying every email to the developer’s personal server,” the Koi Security researchers argued.
This could be the first case of a malicious MCP server found in the wild, argued the researchers.
This malicious Postmark MCP server is distinct from another project with the same name, created by Jabal Torres, a technical marketing designer at Postmark.
Malicious MCP Servers: Simple Attack, Large Impact
The malicious command was in line 231 of Postmark MCP Server v1.0.16.
Idan Dardikman, author of the Koi Security report, said that this command allows the MCP server to reset passwords, grants it access to all emails, including invoices, internal memos and confidential documents.
These are sent to a server linked to giftshop.club, which displays a marketplace for Paris-themed gifts.
This site could be another one of the developer’s side projects, Dardikman noted in the report, but it was used as the C2 server for the attack.
“And the truly messed up part? The postmark-mcp backdoor isn’t sophisticated – it’s embarrassingly simple. The developer didn’t hack anything. Didn’t exploit a zero-day. Didn’t use some sophisticated attack vector. We literally handed him the keys, said ‘here, run this code with full permissions,’ and let our AI assistants use it hundreds of times a day. We did this to ourselves,” the researcher wrote.
Speaking to Infosecurity, Dardikman stated that the developer behind the malicious Postmark MCP Server did not respond to their request for comment.
Instead, they “promptly deleted the malicious package from npm, probably to try and cover [their] tracks.”
“We saved all the evidence we need in advance,” confirmed the researcher.
However, he emphasized that the attack was still active for users who already installed the malicious package.
“The removal from npm does not remove it from the clients,” he explained.
The researcher also argued that the malicious change may have impacted 300 organizations, estimating that approximately 20% of the 15,000 users who downloaded this Postmark MCP Server were actively using it.
This would mean that between 3000 and 15,000 emails were being sent to the developer’s own server every day, Dardikman added.
“If you’re using postmark-mcp version 1.0.16 or later, you’re compromised. Remove it immediately and rotate any credentials that may have been exposed through email,” he recommended.
MCP Ecosystem Systemic Vulnerability
Beyond this specific malicious MCP server, the Koi Security researchers warned that the entire MCP ecosystem is fundamentally flawed.
The researchers emphasized that this issue highlights a systemic vulnerability: organizations are granting powerful, automated access to tools built by unknown and unverified developers.
Because MCP lacks a built-in security model, malicious behavior can persist undetected for long periods, they argued.
The individual behind the handle @phanpak was contacted by Infosecurity but did not respond to request for comment.
