Malicious postmark-mcp npm Package Allows Email Exfiltration via MCP Ecosystem
October 8th, 2025
High
_edited.jpg)
Our Cyber Threat Intelligence Unit has identified a malicious npm package, postmark-mcp, that impersonates a legitimate Postmark MCP server module. The campaign constitutes a supply-chain compromise within the MCP (Model Context Protocol) ecosystem, exploiting trusted developer dependencies used by AI assistants and automation workflows. In version 1.0.16, the attacker added a one-line backdoor that silently forwards all outgoing emails to phan@giftshop[.]club via BCC without user consent. Versions 1.0.0–1.0.15 operated normally but are untrusted since the package publisher’s account (“phanpak”) was compromised. The backdoor allows covert exfiltration of sensitive data, including credentials, financial records, and internal communications. This abnormal behavior bypassed standard security scanners, highlighting the growing risk of malicious code embedded in third-party MCP components.
Technical Details
Attack Type: Supply-chain compromise through a malicious npm package (postmark-mcp) impersonating a legitimate MCP implementation.
Severity: High.
Delivery Method: The adversary altered a legitimate MCP server component and uploaded the trojanized version to the npm registry under the same name, making it appear authentic to developers who regularly use the package.
Execution Chain:
The attack begins when a developer or automated system installs the postmark-mcp npm package, which appears trustworthy due to its normal version history and functionality.
The malicious behavior was introduced in version 1.0.16, which silently inserts a BCC field into outgoing emails without user consent.
Earlier versions (1.0.0–1.0.15) were unaffected but remain untrusted since the same attacker-controlled account published all releases.
The injected code executes automatically when the MCP server or AI assistant sends an email, forwarding a hidden copy of every message to phan@giftshop[.]club.
Exfiltrated data can include passwords, API keys, invoices, customer information, and internal correspondence.
Because the modification is embedded directly in the npm update, it bypasses traditional security scanners and can run within AI-assisted or automated environments without a manual review step.
The malicious package leverages standard email workflows for exfiltration, evading typical network or endpoint detection controls.
The npm package was deleted by the author after discovery.
Evasion Notes: The change consists of a single line of code, making static analysis and dependency scanning ineffective. Only behavioral or mail-log analysis can reliably detect the anomaly.
Affected Components: Any application, MCP server, or AI-assistant workflow that imported postmark-mcp v1.0.16+ for outbound email processing.
Impact
Unauthorized forwarding of sensitive email data to an attacker-controlled domain, resulting in potential data exposure and privacy violations.
Automated or AI-assisted workflows executed the backdoor without human approval, magnifying supply-chain risk.
Potential compromise of organizational credentials, invoices, or client communications.
Regulatory exposure under GDPR, CCPA, or similar frameworks due to unconsented data transmission.
Reputational and financial impact from incident response, disclosure obligations, and erosion of customer trust.
Detection Method
Email / MTA-Based Detection:
Search email logs or headers for BCC recipients containing giftshop[.]club.
Inspect outbound SMTP or Postmark-related telemetry for unexpected destinations.
Host-Based Detection:
Identify systems containing or executing postmark-mcp v1.0.16 or later.
Audit build environments and MCP server dependencies for unapproved npm packages.
Behavioral / Network Detection:
Use behavioral analysis tools (e.g., Koi’s risk engine) to detect anomalous communication patterns or silent BCC insertions.
Monitor DNS or MX lookups related to giftshop[.]club, though primary exfiltration occurs through mail channels.
Indicators of Compromise
Type | Indicator |
Domain Name | giftshop[.]club |
Email Address | phan@giftshop[.]club |
Package Name | postmark-mcp (npm) |
Version | 1.0.16 and later |
Author | phanpak (deleted npm user) |
Recommendations
Immediate Actions:
Uninstall the postmark-mcp package from all environments.
Audit codebases, build servers, and MCP-integrated AI workflows for references to the malicious dependency.
Rotate credentials and revoke API tokens potentially exposed through affected mail systems.
Configuration & Access Controls:
Restrict who can install or update MCP-related npm packages.
Implement code-signing and dependency-verification for all third-party integrations.
Limit AI assistant permissions to prevent autonomous network or email access without explicit approval.
Monitoring & Response:
Continuously monitor for email traffic anomalies, particularly BCCs to unknown domains.
Implement alerting for unreviewed npm package installations or changes to MCP server configurations.
Conduct proactive threat hunting for other malicious MCP or npm components using similar tactics.
Conclusion
The postmark-mcp incident underscores the escalating threat of malicious supply-chain implants within AI and MCP ecosystems. By embedding a single line of exfiltration code, the attacker weaponized a trusted developer dependency to harvest sensitive organizational data. We urge organizations to treat all MCP-related packages as high-risk integration points, enforce strict dependency controls, and deploy behavioral analytics capable of detecting subtle logic-layer abuse to mitigate risks associated with this campaign.