Cybersecurity researchers have spotted what is believed to be the first malicious use of a Model Context Protocol (MCP) server in the wild.
The rogue code was found hidden within an npm package named ‘postmark-mcp,’ which mimicked a legitimate Postmark Labs library used for managing emails with AI assistants.
Published on September 15, 2025, by a developer using the alias ‘phanpak,’ the malicious version introduced a subtle change in version 1.0.16, released two days later. This change quietly BCC’d all outgoing emails to the email address “phan@giftshop[.]club,” potentially leaking sensitive content such as passwords, invoices, and customer communications.
The package was downloaded 1,643 times before being removed from the npm repository.
“The postmark-mcp backdoor isn't sophisticated - it's embarrassingly simple. But it perfectly demonstrates how completely broken this whole setup is. One developer. One line of code. Thousands upon thousands of stolen emails,” KoiSecurity’s researcher Idan Dardikman notes.
When the researchers have reached the developer behind the malicious package, they have promptly deleted the package from npm.
MCP servers aren't typical npm packages, they're tools meant for autonomous AI assistants. Installing something like postmark-mcp isn't just adding a dependency it's giving the AI a tool it will use repeatedly without question. The danger lies in the AI's inability to detect hidden threats (like BCC-based data exfiltration) because to the AI, the tool appears to work perfectly. This makes silent abuse both easy and undetectable, Dardikman explained.