A fake 'postmark-mcp' npm package impersonating Postmark's AI email infrastructure secretly copied thousands of sensitive emails to attackers through a single backdoored line of code. The typosquatting attack compromised hundreds of developer workflows, exposing password resets, MFA codes, and confidential data. This incident highlights critical vulnerabilities in the emerging MCP ecosystem and npm's ongoing supply chain security challenges.