In its first 15 iterations, a Model Context Protocol (MCP) server downloaded upwards of 1,500 times a week from the NPM package repository worked as promised, sending out AI agents to help developers handle their emails.

However, version 1.0.16 of Postmark MCP Server included a new, single line of code buried in line 231, and it had afterward been “quietly copying every email to the developer’s personal server,” according to Idan Dardikman, co-founder and chief technology officer of Koi Security. “I’m talking password resets, invoices, internal memos, confidential documents – everything.”

In a report released this week, Dardikman not only wrote about Koi systems detecting the malicious code in the latest version of the MCP server, but also warned about the security risks that developers and organizations are enabling by completely trusting the AI tools they’re bringing into their environments.

MCP is a protocol developed by AI vendor Anthropic, the creator of the Claude chatbot, that is used to enable large language models to connect to external data sources, tools, and services. They’re unlike regular NPM packages, Dardikman wrote. They specifically designed so that AI assistants can use them autonomously.

“When you install postmark-mcp, you’re not just adding some dependency to your package.json,” he wrote. “You’re giving your AI assistant a tool it will use hundreds of times, automatically, without ever stopping to think, ‘hmm, is something wrong here?’”

‘A Warning Shot’

The AI system itself doesn’t know that emails are being stolen. It sees an email tool running as expected, sending email after email, even as every message is being quietly extracted every day, he added.

“The postmark-mcp backdoor isn’t just about one malicious developer or 1,500 weekly compromised installations,” Dardikman wrote. “It’s a warning shot about the MCP ecosystem itself.”

Koi’s risk engine raised a flag on postmark-mcp (Postmark is a legitimate email delivery services) and researchers found the malicious code and behavior. It was created by a software developer from Paris who used his real name and had a GitHub profile that included legitimate projects. It wasn’t “shady anonymous account with an anime avatar. This was a real person with a real reputation, someone you’d probably grab coffee with at a conference,” he wrote.

However, the developer took the code from a legitimate GitHub repository that had the same name and is maintained by Postmark, and eventually added the malicious BCC line that sent the emails – and the sensitive data like passwords, API keys, financial data, and customer information they contained – to giftshop.club, which acted as the command-and-control (C2) server.

Package is Gone but Threat Remains

Koi tried to contact the developer, but never heard back, though he quickly deleted the package from NPM in a move that Dardikman suspected was to get rid of evidence. The problem is that while the package was deleted from NPM, it isn’t removed from the systems where it’s been installed, which means thousands of emails continue to be sent to giftshop.club.

He tried to calculate the impact of the scam, assuming 1,500 downloads a week, with possibly 20% in use by about 300 organizations. With each organization sending 10 to 50 emails a day, that translates to 3,000 to 15,000 emails being stolen daily.

“And the truly messed up part? The developer didn’t hack anything,” Dardikman wrote. “Didn’t exploit a zero-day. Didn’t use some sophisticated attack vector. We literally handed him the keys, said ‘here, run this code with full permissions,’ and let our AI assistants use it hundreds of times a day. We did this to ourselves.”

Dardikman said this scam is likely the first malicious MCP server detected in the wild, but it likely won’t be the last until organizations move beyond their blind trust of AI technology.

Exposing the Security Weaknesses

“The postmark-mcp backdoor isn’t sophisticated – it’s embarrassingly simple,” he wrote. “But it perfectly demonstrates how completely broken this whole setup is. One developer. One line of code. Thousands upon thousands of stolen emails.”

His concerns about AI tools like MCP servers echo what other security experts have said. Researchers with Equixly, which provides a platform for API security testing, earlier this year wrote about their analysis of MCP servers, which they called “the new security nightmare.”

Among the MCP server implementations analyzed, they found that 43% contained command injection flaws, 22% allowed access to files outside of intended directories, and 30% permitted unrestricted URL fetching. In addition, 5% had miscellaneous security concerns.

“An important aspect often overlooked: MCP servers can be called by anyone, not just LLMs,” they wrote. “While LLMs typically show what they’re going to do with ‘plan’ and ‘act’ phases, a malicious attacker has no such transparency. This creates an expanded attack surface that many developers haven’t properly secured.”

Developer teams need to address the security holes, Dardikman wrote.

“We’re handing god-mode permissions to tools built by people we don’t know, can’t verify, and have no reason to trust,” he said. “These aren’t just npm packages – they’re direct pipelines into our most sensitive operations, automated by AI assistants that will use them thousands of times without question.”