Damage Control

A One-Line Backdoor: postmark-mcp MCP Server Quietly BCCs Your Emails

Supply Chain SecurityModel Context ProtocolCybersecurityAI Agents
Added Sep 27, 2025
Link166
Article: NegativeCommunity: NeutralDivisive
A One-Line Backdoor: postmark-mcp MCP Server Quietly BCCs Your Emails

A widely used MCP server, postmark-mcp, turned malicious in v1.0.16 by adding a BCC that forwards all emails to giftshop.club, enabling large-scale data exfiltration. Koi’s risk engine caught the behavioral change; despite the package’s removal from npm, existing installations remain compromised. The incident exposes systemic flaws in MCP’s trust model and calls for behavioral verification and supply-chain safeguards.

Key Points

  • postmark-mcp version 1.0.16+ adds a hidden BCC to phan@giftshop.club, exfiltrating all emails sent through the tool.
  • The attacker impersonated a legitimate Postmark repo, turning a previously trusted package into malware with a one-line change.
  • Scale is significant: ~1,500 weekly downloads, likely hundreds of active orgs, and thousands of emails a day siphoned.
  • Deleting the npm package does not remediate existing installations; compromised environments continue leaking emails.
  • The MCP ecosystem lacks a security model—AI assistants use powerful tools autonomously—necessitating behavioral monitoring and supply-chain gateways.

Sentiment

The community is predominantly skeptical of the article's framing and quality. While most agree supply chain attacks are a real and serious problem, the majority view is that this incident is being overhyped as an MCP-specific issue when it is really a generic dependency trust problem. The AI-generated writing style of the article and its perceived marketing angle for Koi's security product further erode credibility. There is genuine concern about MCP's security model, but the consensus leans toward this being an old problem in new packaging rather than a novel threat.

In Agreement

  • MCP servers grant AI agents god-mode permissions without sandboxing, vetting, or monitoring, making them an ideal vector for supply chain attacks that can simultaneously compromise email, keys, and private documents
  • AI amplifies the problem because less security-minded users are now attack vectors — they have neither the ability nor desire to vet what AI tools feed them
  • MCP as a use case is fundamentally unsafe because it encourages autonomous LLM-driven tool invocation that cannot be done securely with current technology
  • The MCP ecosystem's newness means established trust signals are absent — people are installing tools that appeared yesterday in a Wild West environment
  • MCP's ability to dynamically change tool descriptions after initial approval creates a shifting trust surface that undermines any security review
  • Articles like this serve an important purpose for informing people outside the HN audience who may not understand these risks

Opposed

  • This is a standard supply chain attack identical to any npm or PyPI backdoor — it has nothing specifically to do with MCP and the same flaw exists in all software dependencies
  • The impact estimates are wildly inflated — 1,500 weekly npm downloads mostly represent CI pipeline noise, not 300 unique organizations, and the official repo has minimal engagement
  • The BCC may be accidental debug code rather than intentional malice — using one's personal email in plain sight is an unusually careless approach for deliberate data theft
  • MCP is just JSON-RPC plumbing — calling it 'unsafe' is meaningless because the protocol itself cannot guarantee what remote implementations do
  • The article reads as AI-generated marketing content for Koi's security product, undermining its credibility despite the legitimate underlying concern
  • The article's breathless framing of an obvious risk — that running untrusted code is dangerous — is patronizing to a technical audience and adds no new insight