Cybersecurity researchers have identified the first-ever case of a malicious Model Context Protocol (MCP) server discovered in the wild, highlighting the growing risks to the software supply chain.

According to Koi Security, a threat actor introduced rogue functionality into an npm package named “postmark-mcp”, which mimicked the legitimate Postmark Labs library of the same name. The malicious code first appeared in version 1.0.16, released on September 17, 2025.

The authentic Postmark-MCP library, available on GitHub, is designed to expose an MCP server that allows users to send emails, manage templates, and track campaigns with AI assistants. However, the compromised npm package secretly copied every email sent through the server to the attacker’s personal domain, using a simple one-line code change to BCC messages to “phan@giftshop[.]club.”

Discovery and Impact

The package was uploaded to npm on September 15, 2025, by a developer under the alias “phanpak,” who also maintains over 30 other packages. Before being removed, it had already been downloaded 1,643 times.

“This is the first documented case of a malicious MCP server,” said Koi Security CTO Idan Dardikman. “The backdoor was not sophisticated—it was shockingly simple—but it demonstrates how fragile the supply chain ecosystem really is. One developer. One line of code. Thousands of stolen emails.”

Risks for Organizations

The malicious MCP server poses significant risks since these servers often operate with high levels of trust and broad permissions within agent toolchains. Sensitive data such as password resets, invoices, customer communications, and internal memos could have been exposed.

Snyk, a security platform, warned that the attack was designed to exfiltrate emails from workflows dependent on MCP servers, underlining how attackers exploit the trust placed in open-source ecosystems.

Recommended Actions

Developers and organizations that installed the rogue “postmark-mcp” package should:

• Remove the package immediately from all workflows.
• Rotate exposed credentials that may have been shared through email.
• Audit email logs for suspicious BCC traffic directed to the attacker’s domain.

Broader Implications

This incident reinforces a troubling trend: adversaries continue to exploit the open-source supply chain by introducing malicious code into widely used packages. As MCP technology gains traction in enterprise environments, this attack serves as a wake-up call for companies to implement stricter safeguards, conduct regular code audits, and enhance visibility across their development pipelines to prevent similar compromises.

The case of the rogue Postmark-MCP package illustrates just how quickly trust can be weaponized in the open-source ecosystem—and how critical it is for organizations to strengthen their supply chain defenses.

Source: https://thehackernews.com/2025/09/first-malicious-mcp-server-found.html