TL;DR

The npm package postmark-mcp — an unofficial MCP server for the Postmark email service — was modified in v1.0.16 (published 2025-09-17) to silently BCC every outgoing email to phan@giftshop[.]club. Versions 1.0.0–1.0.15 were clean: the attacker built trust for months before injecting the backdoor. This is the first publicly-known malicious MCP server. ~1,643 downloads before removal.

What happened

The author published 15 clean, functional versions of postmark-mcp impersonating the official Postmark Labs MCP library. AI assistants installed it, sent emails through it for months, and saw correct behavior. Adoption grew.

In v1.0.16, the attacker added one line of code: a hidden BCC field on every outgoing email pointing to an attacker-controlled inbox.

Because MCP servers typically operate with broad permissions and act on behalf of an AI assistant, the exfiltrated emails included password resets, invoices, internal memos, and other high-value content.

Am I affected?

# Did you install postmark-mcp from npm?
npm ls -g postmark-mcp
npm ls postmark-mcp --all

# Check your MCP config files for it
grep -r "postmark-mcp" ~/.config/claude/ ~/.cursor/ ~/.codeium/ 2>/dev/null
grep -r "postmark-mcp" ~/Library/Application\ Support/Claude/ 2>/dev/null

If postmark-mcp appears in any MCP config, check whether you sent emails through it after 2025-09-17.

If you are affected

playbooks/if-an-mcp-server-was-malicious.md 1. Uninstall postmark-mcp from every machine and MCP config. 2. Rotate every credential that has ever been sent via email through this MCP (password reset links, API key delivery emails, etc.). 3. Audit your Postmark "sent" logs for BCC traffic to phan@giftshop[.]club or anything else suspicious. 4. Use only the official Postmark MCP from postmarkapp.com going forward.

Prevention

prevention/mcp-hygiene.md — vet every MCP before installing

The general lesson: an MCP server is arbitrary code running with the AI's privileges. Treat MCP installs with at least as much scrutiny as npm install -g. Prefer official MCPs from the vendor; for community MCPs, read the source, check author reputation, and pin a specific commit.

Sources