In a significant cybersecurity development, researchers have identified the first-known malicious Model-Context-Prompt (MCP) server actively exploiting AI agents to exfiltrate sensitive email data. The compromised server, embedded within a trojanized npm package named `postmark-mcp`, has been clandestinely siphoning confidential information from users’ emails, underscoring a new vector of attack in the AI-driven software supply chain.
Discovery and Mechanism of the Malicious Package
The `postmark-mcp` package, designed to function as an MCP server integrating with the Postmark email service, facilitates AI assistants in automating email-sending tasks. Initially, the tool operated as intended, building trust within the developer community and becoming a component of numerous workflows. However, starting with version 1.0.16, a single line of malicious code was introduced. This code surreptitiously added a Bcc field to every outgoing email, directing copies to an attacker-controlled email address, thereby compromising sensitive communications.
The Developer’s Deception
The individual behind this package presented themselves as a legitimate software engineer, complete with an established GitHub profile. This facade likely facilitated the package’s acceptance and integration into various systems without immediate suspicion. The attack involved cloning code from a legitimate GitHub repository maintained by Postmark (ActiveCampaign), injecting the backdoor, and publishing it to the npm registry under the same name.
Detection and Impact
Security firm Koi’s risk engine flagged the package after detecting behavioral anomalies in version 1.0.16. The simplicity of the attack is particularly alarming; it did not exploit a zero-day vulnerability or employ complex hacking techniques but rather leveraged the inherent trust within the open-source ecosystem. The estimated impact is substantial, with calculations suggesting that between 3,000 and 15,000 emails could have been exfiltrated daily from approximately 300 organizations.
Vulnerabilities in AI Agent Tools
This incident exposes critical vulnerabilities in the architecture of AI agent tools. MCP servers are granted high-level permissions to operate autonomously, often with full access to emails, databases, and APIs. Unlike traditional software, these tools are utilized by AI assistants that execute tasks without human review. The AI lacks the capability to detect that an email is being secretly copied, as it only verifies the completion of the primary task of sending the email. This creates a significant security blind spot for organizations.
Indicators of Compromise (IOCs) and Mitigation
– Package: `postmark-mcp` (npm)
– Malicious Version: 1.0.16 and later
– Backdoor Email: `phan@giftshop[.]club`
– Domain: `giftshop[.]club`
Users of `postmark-mcp` are urged to immediately uninstall the package and rotate any credentials or sensitive information that may have been transmitted via email. This attack serves as a stark warning about the risks associated with the rapidly growing MCP ecosystem, emphasizing the need for robust verification processes and heightened vigilance in the deployment of AI-driven tools.
