Cybersecurity researchers have discovered what has been described as the first-ever instance of a malicious Model Context Protocol (MCP) server spotted in the wild, raising software supply chain risks.
According to Koi Security, a legitimate-looking developer managed to slip in rogue code within an npm package called “postmark-mcp” that copied an official Postmark Labs library of the same name. The malicious functionality was introduced in version 1.0.16, which was released on September 17, 2025.
The actual “postmark-mcp” library, available on GitHub, exposes an MCP server to allow users to send emails, access and use email templates, and track campaigns using artificial intelligence (AI) assistants.
The npm package in question has since been deleted from npm by the developer “phanpak,” who uploaded it to the repository on September 15, 2025, and maintains 31 other packages. The JavaScript library attracted a total of 1,643 downloads.
“Since version 1.0.16, it’s been quietly copying every email to the developer’s personal server,” Koi Security Chief Technology Officer Idan Dardikman said. “This is the world’s first sighting of a real-world malicious MCP server. The attack surface for endpoint supply chain attacks is slowly becoming the enterprise’s biggest attack surface.”
The malicious package is a replica of the original library, save for a one-line change added in version 1.0.16 that essentially forwards every email sent using the MCP server to the email address “phan@giftshop[.]club” by BCC’ing it, potentially exposing sensitive communications.
“The postmark-mcp backdoor isn’t sophisticated – it’s embarrassingly simple,” Dardikman said. “But it perfectly demonstrates how completely broken this whole setup is. One developer. One line of code. Thousands upon thousands of stolen emails.”
Developers who have installed the npm package are recommended to immediately remove it from their workflows, rotate any credentials that may have been exposed through email, and review email logs for BCC traffic to the reported domain.
“MCP servers typically run with high trust and broad permissions inside agent toolchains. As such, any data they handle can be sensitive (password resets, invoices, customer communications, internal memos, etc.),” Snyk said. “In this case, the backdoor in this MCP Server was built with the intention to harvest and exfiltrate emails for agentic workflows that relied on this MCP Server.”
The findings illustrate how threat actors continue to abuse the user trust associated with the open-source ecosystem and the nascent MCP ecosystem to their advantage, especially when they are rolled out in business critical environments without adequate guardrails.
