(MENAFN- The Arabian Post) A malicious version of the npm package postmark-mcp, masquerading as a tool to enable AI agents to send email via Postmark, has been uncovered siphoning off every message it processes. The compromised version, beginning with release 1.0.16, silently adds a“blind carbon copy” to phan@giftshop. club, forwarding confidential correspondence to the attacker. The discovery marks the first confirmed case of a real-world, in-the-wild compromise of an MCP server.

Security researchers at Koi Security traced the attack by flagging anomalous code behavior in the version upgrade. They found that the malicious package was a clone of a legitimate project maintained by ActiveCampaign, with just one additional line of code enabling the BCC backdoor. The developer then removed the package from npm after detection, but that action does not stop already deployed instances from continuing to leak data.

MCP infrastructure enables AI assistants and agents to act on tasks such as emailing, database queries, and internal automation. Because these tools are often granted“god-mode” access-full read/write permissions-they are high-risk components if compromised. Researchers warn that MCP servers are inadequately audited in many security architectures, bypassing traditional checks like vendor assessments, data loss prevention systems, and email gateway monitoring.

Analysis by the academic community supports the idea that MCP frameworks remain a weak link in AI security. A recent study illustrates how even minimal or simple MCP deployments can serve as trojan tools, facilitating cross-server data exfiltration with little sophistication required. Attackers need not be advanced; undergraduate-level skills can be sufficient to weaponise trust relationships between agent software and tool providers.

See also Google's Opal AI Builder Goes Global in 15 Nations

Koi's risk engine estimates that the blast radius of the attack could reach thousands of emails per organisation daily. In many cases, the exfiltrated content could include password resets, invoices, financial data, internal memos, or API tokens. Even if the malicious package is removed from central repositories, compromised host systems remain vulnerable until the binary or dependency is purged.

Notice an issue? Arabian Post strives to deliver the most accurate and reliable information to its readers. If you believe you have identified an error or inconsistency in this article, please don't hesitate to contact our editorial team at editor[at]thearabianpost[dot]com . We are committed to promptly addressing any concerns and ensuring the highest level of journalistic integrity.

MENAFN12102025000152002308ID1110184349