A malware infection in postmark-mcp, a popular MCP server with 1,500 weekly downloads, highlights the lack of security in AI ecosystems. For months, the backdoor forwarded all emails to external servers.
The risk engine of security company Koi sounded the alarm when version 1.0.16 of postmark-mcp showed suspicious behavioral changes. Investigation revealed that the MCP server was secretly forwarding every email to an external server.
With version 1.0.16, the developer added a straightforward line of code: a BCC field that sent all emails to giftshop.club. This simple addition resulted in password resets, invoices, internal memos, and confidential documents being intercepted.
First malicious MCP server discovered
At first glance, the server in question seemed trustworthy. The developer used his real name, had a mature GitHub profile, and had delivered fifteen versions of perfectly functioning software. Users trusted the tool completely.
The pattern is frightening: a tool can be completely legitimate for months, be tested in production, become essential in work processes, and then, overnight, turn into malware. By the time the backdoor is activated, it is no longer a random package, but trusted infrastructure.
The scope of the problem
With 1,500 weekly downloads and an estimated 20 percent active usage, this meant that approximately 300 organizations were affected. Between 3,000 and 15,000 emails flowed to the external server every day.
For modern businesses, the problem is even more serious. While security teams focus on traditional threats, developers independently adopt AI tools that operate completely outside established security perimeters.
These MCP servers run with the same privileges as the AI assistants themselves—full email access, database connections, API permissions. However, they do not appear in asset inventories, skip vendor risk assessments, and bypass all security controls.
Trust abused
The postmark-mcp backdoor illustrates how broken the current model is. MCP servers are specifically designed for autonomous AI assistants. When you install postmark-mcp, you give your AI assistant a tool that it uses hundreds of times without ever questioning it.
Your AI cannot detect the BCC field. It only sees a functioning email tool. Send email. Success. Send another email. Success. Meanwhile, every message is being secretly exfiltrated.