"Cybersecurity researchers have discovered what has been described as the first-ever instance of a Model Context Protocol ( MCP) server spotted in the wild, raising software supply chain risks. According to Koi Security, a legitimate-looking developer managed to slip in rogue code within an npm package called " postmark-mcp" that copied an official Postmark Labs library of the same name. The malicious functionality was introduced in version 1.0.16, which was released on September 17, 2025."
"This is the world's first sighting of a real-world malicious MCP server. The attack surface for endpoint supply chain attacks is slowly becoming the enterprise's biggest attack surface. The malicious package is a replica of the original library, save for a one-line change added in version 1.0.16 that essentially forwards every email sent using the MCP server to the email address "phan@giftshop[.]club" by BCC'ing it, potentially exposing sensitive communications."
Koi Security identified a malicious npm package named "postmark-mcp" that replicated the official Postmark Labs library and introduced a backdoor in version 1.0.16. The backdoor added a single-line change that BCC'd every email sent via the library to phan@giftshop[.]club, exfiltrating messages to the developer's personal server. The package was uploaded by user "phanpak" on September 15, 2025, and the malicious version was released September 17, 2025. The package accrued 1,643 downloads before deletion from npm. The incident represents the first observed real-world malicious Model Context Protocol server and heightens software supply-chain and endpoint attack surface risks. Developers should remove the package immediately.
Read at The Hacker News
Unable to calculate read time
Collection
[
|
...
]