First-Ever Malicious MCP Server Steals Emails Using AI Agents

Top Highlights

1. A malicious npm package, postmark-mcp, was secretly used to exfiltrate sensitive email data by adding a backdoor, highlighting a new threat in AI-powered software supply chains.

2. The attack involved a seemingly legitimate developer copying code from an official source, injecting malicious code from version 1.0.16 onward, causing widespread trust and widespread integration.

3. MCP servers’ high-level permissions and autonomous operation create major security blind spots, enabling attackers to bypass traditional safeguards and potentially exfiltrate thousands of emails daily.

4. Organizations must urgently uninstall compromised packages, rotate credentials, and enhance verification protocols, as the incident underscores the critical need for ongoing monitoring of third-party AI tools.

Problem Explained

The recent discovery of the first malicious Model-Context-Prompt (MCP) server in the wild reveals a disturbing security breach within the AI-powered software supply chain. The attack centered on a widely used npm package called postmark-mcp, which had been downloaded roughly 1,500 times weekly. Initially functioning as a trustworthy tool to automate email tasks via the Postmark service, the package was secretly tampered with in version 1.0.16, when a malicious line of code was inserted, enabling it to clandestinely copy every processed email to an attacker-controlled server. The attacker, posing as a legitimate developer from Paris with an authentic GitHub profile, stole sensitive data—including passwords, invoices, and confidential communications—by exploiting the high-level permissions granted to MCP servers, which often operate outside traditional security systems. Although the developer promptly removed the compromised package after discovery, users who had already installed the malicious version remain vulnerable, highlighting how easily trust can be abused in open-source ecosystems and exposing serious security gaps in organizations relying on autonomous AI tools.

This incident underscores the urgent need for stricter verification and continuous monitoring of third-party AI components, especially MCP servers that handle sensitive information without human oversight. The attack utilized straightforward tactics—impersonation and code injection—rather than complex hacking techniques, making it particularly alarming. With an estimated potential exfiltration of thousands of emails daily across hundreds of organizations, cybersecurity experts warn that such vulnerabilities pose a significant threat to data integrity and privacy. The reporting firm, Koi, identified the malicious activity, pushing for immediate removal of the compromised package and urging organizations to tighten their defenses around third-party AI integrations to prevent similar breaches in the future.

Risks Involved

The discovery of the first malicious Model-Context-Prompt (MCP) server, delivered through the trojanized npm package “postmark-mcp,” underscores a critical and rapidly evolving cybersecurity threat within AI-powered software supply chains. By secretly exfiltrating sensitive email data—including passwords, invoices, and internal communications—it exploits the high-level permissions granted to autonomous AI tools, which often operate outside conventional security measures such as DLP systems and email gateways. This insidious attack, initiated through a seemingly legitimate developer profile and a manipulated package, highlights how simple yet sophisticated abuse of trust in open-source ecosystems can lead to substantial data breaches, potentially compromising thousands of emails daily across multiple organizations. Although the attacker swiftly removed the malicious package after detection, the damage persists in affected systems, necessitating immediate uninstallation and credential rotation. This incident exposes systemic vulnerabilities, emphasizing the urgent need for rigorous verification, continuous monitoring, and security protocols tailored to safeguard AI-dependent toolchains from stealthy exfiltration and exploitation.

Fix & Mitigation

Ensuring prompt remediation in the face of the first-ever malicious MCP server discovered in the wild, which can steal emails through AI agents, is crucial to prevent widespread data breaches, protect sensitive information, and maintain organizational trust.

Mitigation Steps

• Immediate Isolation: Disconnect affected servers from the network to prevent further data exfiltration.
• Threat Analysis: Conduct thorough forensic investigations to understand the attack vector and scope.
• Patch Vulnerabilities: Apply all relevant security patches and updates to close exploited vulnerabilities.
• Update Security Tools: Strengthen defenses by updating intrusion detection systems (IDS), antivirus, and AI monitoring tools.
• User Alerts and Training: Notify users about potential phishing or suspicious activity, and reinforce security awareness.
• Monitor Systems: Implement continuous monitoring for abnormal activity or unauthorized access.
• Revise Access Controls: Enforce strict access permissions and multi-factor authentication to limit unauthorized access.
• Communicate with Stakeholders: Keep relevant parties informed about the incident and remediation progress.
• Review and Harden Infrastructure: Conduct a security audit, and strengthen configurations to prevent future breaches.
• Legal and Compliance Measures: Notify authorities if required and document the incident for compliance purposes.

Stay Ahead in Cybersecurity

Explore career growth and education via Careers & Learning, or dive into Compliance essentials.

Access world-class cyber research and guidance from IEEE.

Disclaimer: The information provided may not always be accurate or up to date. Please do your own research, as the cybersecurity landscape evolves rapidly. Intended for secondary references purposes only.

Cyberattacks-V1