Article illustration 1

A sophisticated supply chain attack leveraging npm typosquatting compromised Postmark's Model Context Protocol (MCP) ecosystem, enabling the theft of thousands of sensitive emails daily through a single malicious line of code. Security researchers at Koi Security discovered that the counterfeit 'postmark-mcp' package—downloaded approximately 1,500 times weekly—contained a backdoor that silently BCC'd all outgoing messages to an attacker-controlled server at phan@giftshop[.]club.

The Attack Mechanics

According to Postmark's security advisory, the attacker:
1. Cloned the legitimate Postmark MCP server from GitHub
2. Published it to npm under the deceptive "postmark-mcp" name
3. Built credibility through 15 benign versions
4. Inserted a single malicious line in version 1.0.16 that copied all emails

"We're handing god-mode permissions to tools built by people we don't know, can't verify, and have no reason to trust," warned Koi Security CTO Idan Dardikman. "These aren't just npm packages—they're direct pipelines into our most sensitive operations."

Scale and Impact

  • 300+ organizations likely compromised
  • 3,000-15,000 emails stolen daily
  • Data exposed included password resets, MFA codes, financial details, and confidential business documents
  • Victims included high-profile Postmark customers like 1Password, Asana, and Minecraft

The attack exploited Postmark's MCP protocol—an open standard allowing AI systems to connect to external tools. As Dardikman noted: "The developer didn't hack anything... We literally handed him the keys."

Broader Ecosystem Vulnerabilities

This incident underscores three critical security challenges:
1. MCP Protocol Risks: Emerging AI infrastructure protocols create new attack surfaces
2. npm Supply Chain Weaknesses: Typosquatting remains devastatingly effective
3. Automation Blindspots: AI systems execute malicious code without question

The attack follows multiple recent npm compromises, including phishing attacks on maintainers and secret-stealing malware campaigns. In response, GitHub (npm's owner) announced tightened security measures:

// Example of GitHub's new security measures
{
  "tokenLifetimes": "shortened",
  "publishingDefaults": "2FA-enforced"
}

Critical Takeaways for Developers

  • Audit dependencies for typosquatting risks using tools like npm audit
  • Implement strict allowlisting for MCP-enabled AI workflows
  • Rotate credentials immediately when supply chain compromises occur
  • Prefer verified repositories over public package managers for sensitive operations

As AI infrastructure increasingly automates business-critical functions, this attack serves as a stark reminder that convenience and security remain perilously unbalanced in emerging ecosystems. The silent exfiltration of thousands of emails through one line of code demonstrates how minimal effort can yield maximal damage in today's interconnected development environments.

Source: The Register & Koi Security Research