Fake Postmark MCP Package Hijacks Emails

A counterfeit npm package masquerading as Postmark's MCP server has been found to have stolen thousands of emails daily. The package added a single line of code to secretly forward outgoing messages to an attacker-controlled address.

Postmark issued a warning last week about 'postmark-mcp' on npm impersonating its email delivery service and stealing user emails. The company clarified it had no involvement with the package or its malicious activities.

According to Koi Security, the malicious package was downloaded approximately 1,500 times in a week, integrated into numerous developer workflows, and likely stole thousands of emails daily. This exposure potentially included sensitive emails like password resets and financial details.

Postmark's MCP server, published on GitHub, uses an open protocol for AI systems to connect to external tools. However, this protocol has been identified as a significant security risk.

Koi Security's co-founder described the incident as a warning about the MCP ecosystem itself. He noted that thousands of emails were sent to giftshop.club after the malicious package was published on npm.

This incident underscores the security risks of npm packages, prompting GitHub to enhance security measures, including shorter token lifetimes and default two-factor authentication.