Worth Reading – First Malicious MCP in the Wild: The Postmark Backdoor That’s Stealing Your Emails
This is a frightening situation, but one that could happen easily to anyone with access to AI:
postmark-mcp– downloaded 1,500 times every single week, integrated into hundreds of developer workflows. Since version1.0.16, it’s been quietly copying every email to the developer’s personal server. I’m talking password resets, invoices, internal memos, confidential documents – everything.This is the world’s first sighting of a real world malicious MCP server. The attack surface for endpoint supply chain attacks is slowly becoming the enterprise’s biggest attack surface.
https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-theft
If you’re not familiar with MCP servers, they’re a fairly popular concept in the AI technology world. It’s powerful. Who doesn’t want AI to respond to hundreds of common emails per day and handle those mundane tasks for us?
The folks from KOI have another perspective on it, though:
And once you install them? Your AI assistant just goes to town. No review process. No “hey, should I really send this email with a BCC to giftshop.club?” Just blind, automated execution. Over and over. Hundreds of times a day.
There’s literally no security model here. No sandbox. No containment. Nothing. If the tool says “send this email,” your AI sends it. If it says “oh, also copy everything to this random address,” your AI does that too. No questions asked.
I’m not going to claim to be a cybersecurity expert, but I know enough to know that this doesn’t make a lot of sense. Can we truly trust every developer in the AI space to consistently build secure tools, free from security flaws and intentional vulnerabilities?
Apparently, we have our answer in this story. No.
Do you know what your agents are doing?
Follow these topics: Artificial Intelligence, Security
