AI/ML, Email security, Supply chain, Exposure management, Application security

Open-source MCP server package caught stealing emails

A malicious open-source Model Context Protocol (MCP) server implementation with 1,500 weekly downloads was found to be exfiltrating private emails directly to its publisher, according to Koi Security.

The package hosted on npm, postmark-mcp, was found to be a copycat of a legitimate project of the same name hosted on GitHub. The publisher of the malicious version copied the code from the legitimate version and added a single line that would BCC him on every email sent through the MCP server, Koi Security said in a blog post Thursday.

MCP servers enable users to integrate AI tools such as large language models (LLMs) and agents with other services and data sources such as email, databases, development environments and more.

The legitimate postmark-mcp project, developed by Active Campaign, is an MCP server implementation for Postmark email services that allows users to use AI tools to send emails. In the malicious version, emails sent using the AI would automatically include a BCC to the email address phan@giftshop[.]club, invisibly exfiltrating the correspondence.

“This is the world’s first sighting of a real world malicious MCP server,” wrote Koi Security Chief Technology Officer Idan Dardikman.

Koi Security noted that the publisher uploaded 15 previous versions of the postmark-mcp npm package without the malicious code, only adding the BCC “backdoor” in version 1.0.16. The researchers also said the publisher maintained a seemingly legitimate GitHub profile containing several other non-suspicious projects.

When contacted by the researchers, the publisher did not respond and instead deleted the npm package, according to Koi.

Despite the package’s deletion from npm, users who still have it installed will continue to have their outbound emails exfiltrated to the phan@giftshop[.]club email; Koi recommended anyone who installed the package both remove it and rotate any secrets that may have been exposed in their emails.

“But more importantly, audit every MCP server you’re using. Ask yourself: do you actually know who built these tools you’re trusting with everything?” Dardikman concluded. “Stay paranoid. With MCPs, paranoia is just good sense.”

An In-Depth Guide to AI

Get essential knowledge and practical strategies to use AI to better your security program.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds