A One-Line Backdoor: postmark-mcp MCP Server Quietly BCCs Your Emails

A widely used MCP server, postmark-mcp, turned malicious in v1.0.16 by adding a BCC that forwards all emails to giftshop.club, enabling large-scale data exfiltration. Koi’s risk engine caught the behavioral change; despite the package’s removal from npm, existing installations remain compromised. The incident exposes systemic flaws in MCP’s trust model and calls for behavioral verification and supply-chain safeguards.

Key Points

postmark-mcp version 1.0.16+ adds a hidden BCC to phan@giftshop.club, exfiltrating all emails sent through the tool.
The attacker impersonated a legitimate Postmark repo, turning a previously trusted package into malware with a one-line change.
Scale is significant: ~1,500 weekly downloads, likely hundreds of active orgs, and thousands of emails a day siphoned.
Deleting the npm package does not remediate existing installations; compromised environments continue leaking emails.
The MCP ecosystem lacks a security model—AI assistants use powerful tools autonomously—necessitating behavioral monitoring and supply-chain gateways.

Sentiment

The overall sentiment is mixed but leans towards skepticism regarding the *novelty* of the article's core premise, while generally acknowledging the *validity* of the underlying supply chain security concerns. Many commenters agree that software supply chain attacks are a serious risk and that users often grant excessive trust. However, a significant portion feels the article states the obvious or presents a general software trust issue as if it were a new, MCP-specific revelation. There's also criticism directed at the article's writing style, suggesting it might be AI-generated.

In Agreement

Security for AI agents with MCP servers was never considered, making them "unsafe by design," and informing people about these risks is crucial, especially for those outside the HN tech-savvy audience.
The HN audience is not immune to npm supply chain attacks, which are a direct threat to tech-literate individuals.
Beyond information, actively removing or avoiding these risky workflows is important.
Many computer users lack detailed understanding of technology and its abstract risks, making educational articles necessary.
Granting "god-mode" permissions to unknown third-party tools is inherently risky.
The newness of MCP tools means they lack the established trust and track record of older, more mature libraries, creating a "Wild West" environment ripe for exploitation.
Installing any package introduces a liability due to the implicit trust placed in its author and distributor.
The broad nature of software dependencies (e.g., in Linux, Go, Java) means unverified code is a pervasive risk across the software ecosystem.

Opposed

The article's core message about "god-mode permissions" and supply chain risks is obvious to a technical audience, implying it's "content" for those already oblivious.
The issue described is not unique to MCPs but is a fundamental problem with trusting any third-party software, whether it's a Thunderbird extension or any other library/dependency. The "flaw is there in all software: you have to trust the author and the distributor."
The problem of trusting software developers and distributors is as old as software itself, not a novel issue specifically tied to MCP.
The incident is downplayed by some who compare it to perceived larger, ignored privacy issues from major corporations like Microsoft, suggesting hypocrisy in outrage.
The article itself is criticized for displaying "hallmarks of an AI-generated article," including excessive length, rhetorical flaws, idiomatic tics, and redundant platitudes, suggesting a lack of quality or authenticity.