A malicious AI integration module downloaded 1,500 times a week has been caught quietly siphoning corporate emails to an attacker’s server — exposing a new supply chain risk.
MCP (Model Context Protocol) servers are used by AI assistants to integrate with email servers, so they can read and reply to emails, run queries, and more.
Unlike traditional apps, they don’t show up in asset inventories, can bypass vendor risk reviews, and often require access to sensitive systems like email. That combination makes them a perfect vector for supply chain abuse.
The tool, named postmark-mcp, was hosted on npm and downloaded around 1,500 times per week. For 15 versions it appeared legitimate, offering developers email integration for AI assistants.
The developer used their real name, had a public GitHub profile and multiple legitimate projects.
But in version 1.0.16, the package was modified to secretly forward every email it processed to an attacker-controlled server.
Security researchers at endpoint security company Koi Security first noticed the threat when their risk engine flagged an MCP named “Postmark-MCP” as containing suspicious behaviors.
The package was deleted from npm after Koi contacted the developer, but any existing installations remain compromised.
Organizations using postmark-mcp v1.0.16 are urged to immediately remove it, rotate exposed credentials, and audit email logs.
Why this matters
Koi estimates that, based on weekly download counts, between 3,000–15,000 emails may have been exposed.
While the actual scope is unknown (and may have been smaller) this is yet another example of the supply chain risks raised by NPM packages.
In early September, a single phishing email let a threat actor compromise over 18 npm packages downloaded nearly 2 billion times a week, a breach so massive some researchers called it the biggest software supply chain compromise in history.
This attack is not an example of a hack or compromise; this is simply a case of a threat actor impersonating a legitimate tool that required access to email mailboxes.
The fact this attack targeted MCP servers, which AI assistants use to access email accounts, has also raised concerns.
“As security teams focus on traditional threats and compliance frameworks, developers are independently adopting AI tools that operate completely outside established security perimeters,” said Idan Dardikman, Co-Founder & CTO at Koi.
“These MCP servers…don’t appear in any asset inventory, skip vendor risk assessments, and bypass every security control from DLP to email gateways. By the time someone realizes their AI assistant has been quietly BCCing emails to an external server for months, the damage is already catastrophic.”
It appears the attacker has invested time making the app appear safe and trustworthy, before inserting the backdoor once it gained traction.
“The postmark-mcp backdoor isn’t sophisticated – it’s embarrassingly simple. But it perfectly demonstrates how completely broken this whole setup is. One developer. One line of code. Thousands upon thousands of stolen emails,” Dardikman continues.
“If you’re using postmark-mcp version 1.0.16 or later, you’re compromised. Remove it immediately and rotate any credentials that may have been exposed through email. But more importantly, audit every MCP server you’re using. Ask yourself: do you actually know who built these tools you’re trusting with everything?”
If you liked this article, subscribe to Expert Insights for more cybersecurity coverage.
