Security researchers from Koi Security have uncovered a malicious update in a widely used Model Context Protocol (MCP) server, which has been stealing emails from users who installed it.

The server in question, Postmark MCP Server, is an open-source tool designed to deploy AI agents that handle contextual tasks, such as sorting and processing emails. The MCP standard, introduced by Anthropic in November 2024, is used to manage contextual information for AI models, enabling automation of tasks that require understanding of previous inputs.

Postmark MCP Server, developed by an independent software engineer identified on GitHub and npm as @phanpak, had been functioning normally for its first fifteen releases. However, starting with version 1.0.16, the server began copying all emails from users’ accounts to the developer’s personal server, according to Koi Security.

This malicious behavior reportedly affected hundreds of developer workflows. Researchers estimate that about 20% of the 15,000 users who downloaded the server were actively using it, potentially impacting 300 organizations. The emails exfiltrated included sensitive content such as internal memos, invoices, and other confidential documents.

How the Attack Worked

The malicious functionality was embedded directly in the server code. Once installed, the Postmark MCP Server could reset passwords and access all email content. The stolen emails were sent to a server linked to giftshop.club, which appears to have been used as a command-and-control (C2) server.

Idan Dardikman, lead researcher at Koi Security, explained:

“The backdoor in postmark-mcp isn’t sophisticated. The developer didn’t exploit a zero-day or use advanced hacking techniques. Users effectively handed full access to their emails by installing the package and allowing AI agents to interact with it.”

Although the developer removed the malicious package from npm after the discovery, Koi Security warns that already installed instances remain compromised. Users are urged to immediately uninstall version 1.0.16 or later and rotate any exposed credentials.

Broader Implications for the MCP Ecosystem

This incident underscores a systemic vulnerability in the MCP ecosystem. Since MCP servers can be installed with extensive permissions and lack a built-in security model, malicious actors can exploit them for extended periods without detection.

Organizations relying on MCP-based AI workflows should exercise caution when integrating third-party packages, especially those created by unknown or unverified developers. Strict vetting, monitoring, and access controls are critical to prevent similar breaches in the future.

Source: https://www.infosecurity-magazine.com/news/malicious-ai-agent-server