First Documented Malicious MCP Server: Fake postmark-mcp npm Package Silently BCC'd 3,000–15,000 Corporate Emails Per Day to Attacker Domain

The first documented malicious MCP server: fake postmark-mcp npm package ran clean for 15 versions, then v1.0.16 silently BCC'd all outgoing emails to attacker domain giftshop.club. 3,000–15,000 corporate emails per day exfiltrated. 1,643 downloads.

postmark-mcp (npm)Credential exposureMalicious MCP server / supply chain: silent email exfiltrationCorporate email systems / MCP-connected AI agents

What happened

The malicious postmark-mcp v1.0.16 npm package added a silent BCC header to all email send requests, routing copies to [email protected]. AI agents using this MCP server to send transactional email unknowingly exfiltrated every email to the attacker.

Why it matters

3,000–15,000 corporate emails per day exfiltrated to attacker domain. Potential exposure of customer PII, business communications, transactional data, and any confidential information transmitted via email. 1,643 installations across organizations.

Missing authorization check

MCP servers should not be able to silently modify the parameters of tool calls without operator visibility. Email send operations should include receipt verification that the actual API payload matches the authorized parameters.

Would PP block it?

Full coverage requires gates at both the tool-call level (authorize the intent) and the API boundary (verify the outbound payload matches the authorized parameters). A receipt for 'send email to X' that the MCP server then modifies to also BCC an attacker requires verifiable payload matching.

Incident analysis

Timeline and technical read

Timeline

2025-09-29
postmark-mcp npm package discovered to be malicious in v1.0.16. Package had run clean for 15 versions before introducing the BCC exfiltration payload.
2025-09-29
Package taken down from npm. Estimated 3,000–15,000 corporate emails per day had been exfiltrated. 1,643 total downloads recorded.

Technical breakdown

The attack used a versioned trust-building strategy: 15 clean versions established legitimacy before the malicious v1.0.16 introduced the payload.
The BCC header injection was invisible to the AI agent — the tool call appeared to succeed normally.
No mechanism existed to verify that the MCP server's actual outbound API request matched the parameters passed by the AI agent.
The giftshop.club attacker domain received copies of all emails without appearing in any email client interface.

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Credential exposure. The relevant Permission Protocol gate is Tool-Call Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at: Email send tool call, outbound API payload verification
Still needs: MCP server payload integrity; no verification that tool call parameters match actual API request
Receipt required for: Email send operations, any MCP tool call that makes outbound API requests with potentially modified parameters

PP's Tool-Call Gate would require a receipt for email send operations. It would not prevent the MCP server from modifying the payload before the API call if the gate only checks intent, not the actual outbound request.

Related incidents and controls

Critical2026-05-11

Mini Shai-Hulud supply chain worm compromises TanStack, Mistral AI, and 170+ npm/PyPI packages via GitHub Actions cache poisoning

Critical2026-03-24

TeamPCP Backdoored LiteLLM on PyPI — 3-Stage Credential Stealer + Kubernetes Backdoor; All Env Vars, SSH Keys, Cloud Credentials Exfiltrated

Tool-Call Gate

Start small

Put the relevant gate at this action boundary.

This incident maps to Tool-Call Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Replay this incident with a signer in the loop