376/68 Wednesday, October 1, 2025
A research team from Koi Security has disclosed the first-ever discovery of a Malicious Model Context Protocol (MCP) Server being used in the wild, posing a significant risk of a software supply chain attack. The malicious npm package, named “postmark-mcp”, was uploaded on September 15, 2025, by a developer identified as phanpak. The package contained malicious code inserted in version 1.0.16 (released on September 17, 2025) designed to steal user emails.
The package was crafted to mimic the legitimate Postmark Labs library, which integrates with MCP Server to send emails, manage templates, and track campaigns. However, a single added line of code created a severe vulnerability by BCC’ing every email to the attacker’s private server (phan@giftshop[.]club). This exposed sensitive communications such as password reset links, invoices, internal organizational messages, and customer data to the attacker without the user’s knowledge. Before being removed from npm, the malicious package had already been downloaded more than 1,643 times.
Idan Dardikman, CTO of Koi Security, noted: “This is the first time a malicious MCP Server has been observed being used in a supply chain attack. Even a single line of malicious code was enough to steal thousands of emails.” Meanwhile, Snyk warned that MCP Servers typically operate with elevated privileges and access sensitive data, making this incident a stark reminder of the risks associated with open-source software without sufficient safeguards. Developers who previously installed the package are advised to remove it immediately, reset any potentially compromised credentials, and review email sending logs for anomalies.
Source https://thehackernews.com/2025/09/first-malicious-mcp-server-found.html
