"A malware infection in postmark-mcp, a popular MCP server with 1,500 weekly downloads, highlights the lack of security in AI ecosystems. For months, the backdoor forwarded all emails to external servers. The risk engine of security company Koi sounded the alarm when version 1.0.16 of postmark-mcp showed suspicious behavioral changes. Investigation revealed that the MCP server was secretly forwarding every email to an external server."
"With version 1.0.16, the developer added a straightforward line of code: a BCC field that sent all emails to giftshop.club. This simple addition resulted in password resets, invoices, internal memos, and confidential documents being intercepted. First malicious MCP server discovered At first glance, the server in question seemed trustworthy. The developer used his real name, had a mature GitHub profile, and had delivered fifteen versions of perfectly functioning software. Users trusted the tool completely."
"With 1,500 weekly downloads and an estimated 20 percent active usage, this meant that approximately 300 organizations were affected. Between 3,000 and 15,000 emails flowed to the external server every day. For modern businesses, the problem is even more serious. While security teams focus on traditional threats, developers independently adopt AI tools that operate completely outside established security perimeters. These MCP servers run with the same privileges as the AI assistants themselves-full email access, database connections, API permissions."
A widely used MCP server was modified to include a BCC that forwarded all emails to an external domain, creating a persistent backdoor. The modification exposed password resets, invoices, internal memos, and confidential documents. With roughly 1,500 weekly downloads and an estimated 20% active usage, about 300 organizations and thousands of daily emails were affected. The incident shows that trusted open-source components can become infrastructure-level threats after being adopted in production. Many MCP servers run with broad privileges yet remain outside inventories and vendor assessments, allowing such compromises to bypass conventional security controls.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]