Diagram showing postmark-mcp npm package with hidden BCC line sending emails to attacker server giftshop.club, AI assistant icon granting full email/database access, Koi risk engine detecting anomaly, and warning signs for compromised organizations.

A malicious MCP server, postmark-mcp, has been exposed for secretly exfiltrating emails from enterprises using AI assistants. These tools grant "god-mode" access for tasks like sending emails and querying databases, but versions 1.0.0–1.0.15 of postmark-mcp built trust with 1,500 weekly downloads. Then, v1.0.16 slipped in a hidden BCC on line 231, copying all outbound emails—password resets, invoices, memos—to attacker-controlled giftshop.club, impersonating legitimate Postmark integration.

Diagram showing postmark-mcp npm package with hidden BCC line sending emails to attacker server giftshop.club, AI assistant icon granting full email/database access, Koi risk engine detecting anomaly, and warning signs for compromised organizations.Diagram showing postmark-mcp npm package with hidden BCC line sending emails to attacker server giftshop.club, AI assistant icon granting full email/database access, Koi risk engine detecting anomaly, and warning signs for compromised organizations.

Koi’s risk engine detected the anomaly in the update, revealing the attacker copied code from ActiveCampaign’s GitHub and republished it on npm. With 20% of downloads active, ~300 organizations are hit, potentially leaking 3,000–15,000 emails daily. The author deleted the package after silence, but installed instances persist, underscoring MCPs' dangers: they run autonomously via AI, blind to subtle sabotage like hidden BCCs, without sandboxes or reviews.

Diagram showing postmark-mcp npm package with hidden BCC line sending emails to attacker server giftshop.club, AI assistant icon granting full email/database access, Koi risk engine detecting anomaly, and warning signs for compromised organizations.Diagram showing postmark-mcp npm package with hidden BCC line sending emails to attacker server giftshop.club, AI assistant icon granting full email/database access, Koi risk engine detecting anomaly, and warning signs for compromised organizations.

MCPs normalize handing strangers full system access, turning updates into supply chain risks. Koi counters with a gateway for verification, anomaly detection, and monitoring. Users: Immediately remove postmark-mcp v1.0.16+, rotate credentials, audit all MCPs for authors and reviews. Blind trust in AI tools must end—demand verification to avoid this ecosystem's vulnerabilities.
 
NPAV offers a robust solution to combat cyber fraud. Protect yourself with our top-tier security product, Z Plus Security