First Malicious MCP in the Wild: The Postmark Backdoor Stealing Your Emails
4 hours ago
- #cybersecurity
- #supply-chain-attacks
- #MCP-servers
- MCP servers are tools that allow AI assistants to perform tasks like sending emails and running database queries, but they often have excessive permissions.
- The postmark-mcp package, downloaded 1,500 times weekly, was found to secretly copy all emails to a developer's server since version 1.0.16.
- The malicious behavior was detected by Koi's risk engine, which flagged suspicious changes in version 1.0.16.
- The developer of postmark-mcp had a legitimate profile and reputation, making the malicious update unexpected and hard to detect.
- The attack involved adding a single line of code to BCC all emails to an external server, demonstrating how simple yet effective such attacks can be.
- The impact is significant, with an estimated 3,000 to 15,000 emails being exfiltrated daily to giftshop.club.
- The MCP ecosystem lacks built-in security, allowing AI assistants to use compromised tools without questioning their actions.
- The developer deleted the package from npm, but installed versions remain compromised, continuing to exfiltrate data.
- The incident highlights the broader issue of trusting third-party tools with sensitive permissions without proper vetting.
- Mitigation steps include uninstalling postmark-mcp, rotating compromised credentials, and auditing email logs for exfiltrated data.