As security concerns with the agent-enabling Model Context Protocol (MCP) mount, a project posing as email delivery service Postmark was found working against its users.
The MCP server postmark-mcp was being downloaded 1,500 times per week via npm before Koi Security flagged an update on September 17 that introduced an email-harvesting backdoor.
A small update to version 1.0.16 of the server added just one line of code that told agents using it to quietly BCC an external server owned by the developer in all emails.
Postmark: this wasn't us...
The server, shared by a Parisian software engineer, worked almost identically to a legitimate MCP server created by Postmark itself, and allowed users to have AI agents send emails.
The email delivery service lets users send emails in bulk by integrating their API libraries or using plugins for WordPress, Craft, Grunt, and Zapier.
While the illegitimate MCP server had worked as intended, the new update also handed all data to phan@giftshop.club, a website owned by the server’s developer.
In response to Koi’s discovery, Postmark confirmed it has “absolutely nothing to do with this package”, adding its actual MCP server was yet to be shared on npm, and assuring its legitimate API and services were unaffected.
The malicious package was deleted after Koi reached out to the developer, but those who installed it will still need to remove it immediately and rotate potentially leaked credentials.
Postmark also encouraged affected users to check email logs for suspicious activity.
MCP security a concern
Koi’s researchers said the incident further highlights the risks with MCP’s lack of built-in security model, encouraging users to audit every server used, adding “with MCPs, paranoia is just good sense.”
They said unverified tools are being given “god-mode permissions… these aren’t just npm packages - they’re direct pipelines into our most sensitive operations, automated by AI assistants… without question.”
MCP’s security flaws have been increasingly spotlighted in recent months, with API security platform Pynt reporting that half of AI agents exposed to three MCP servers or more were at high risk of exploitation.
Alex Salazar, CEO of AI tool-calling platform Arcade.dev, an MCP contributor, recently told The Stack the Anthropic-created protocol was “not yet production-grade” due to its security issues.
He said MCP was still in an “evolutionary phase” and had been misused by enterprises, with servers built by web and cloud developers who accidentally give way to issues such as privilege escalation.
Though, he added that while MCP “has its warts”, there wasn’t a major security issue or feature “that isn't either already resolved or about to be solved.”
The link has been copied!
