Supply-chain compromise in the npm package postmark-mcp enabled silent email exfiltration, impacting hundreds of organizations daily.
TL;DR status: If [email protected] shows up in your environment, treat it as compromised and follow remediation immediately. 🚨
Free Article Link
Press enter or click to view image in full size
Executive summary
On a recent disclosure, a malicious npm package published under the name postmark-mcp (an MCP connector for Postmark) contained a backdoor in release 1.0.16 that silently BCC’ed outgoing emails to an attacker-controlled address. The package was removed from the registry after discovery, but installations that already pulled that release can still be exfiltrating data. This is a textbook supply-chain compromise affecting connector tooling — high impact because these libraries handle email (tokens, password resets, invoices). 😬
Quick facts & impact statistics
- Weekly downloads (npm): ~1.5K+ — meaning it was in active developer workflows and could be transitively included in many projects. 📥
- Estimated impact: conservative…