Cybersecurity researchers reported what they described as the first known sighting of a malicious Model Context Protocol (MCP) server in the wild, saying the discovery raises software supply chain risks. The finding was detailed by Koi Security in a technical post said.
According to the researchers, a developer published an npm package named “postmark-mcp” that copied the official Postmark Labs library and introduced a malicious change in version 1.0.16, which was released on Sept. 17, 2025. The original library is available on GitHub, and Postmark describes the component as one that exposes an MCP server for email and agentic workflows.
Koi Security said the compromised package silently BCC’d every outgoing email to the address “phan@giftshop[.]club” after the one-line modification in version 1.0.16, effectively forwarding sensitive communications to a third party. Snyk also commented on the incident, warning that MCP servers often run with high trust and broad permissions inside agent toolchains and that any data they handle can therefore be sensitive said.
The npm package was uploaded to the repository on Sept. 15, 2025, by a user identified as phanpak, who maintains other packages, and has since been deleted from npm by that developer. The upload record is available on a package tracking site uploaded, and the package received 1,643 downloads according to npm statistics attracted.
Koi Security’s chief technology officer, Idan Dardikman, described the backdoor as “embarrassingly simple” and said it demonstrates weaknesses in the current MCP and agent ecosystem that can be abused to exfiltrate large volumes of email. The researchers cautioned that a single line of code in a commonly trusted component can have widespread consequences when used in business-critical environments.
Developers who installed the compromised package were advised to remove it immediately, rotate any credentials that may have been exposed through email, and review email logs for BCC traffic to the reported domain, the researchers recommended.