Security researchers discovered a significant vulnerability in the Model Context Protocol (MCP) server that was exploited in the wild. The reports described this as the first-ever instance of an MCP server being exploited in the wild, which can lead to software supply chain risks.
The flaw exists in the npm package postmark-mcp, an MCP server that allows AI assistants to send emails via Postmark. The npm package was reportedly modified to secretly exfiltrate email contents by adding a blind copy (BCC) to an external domain.
The postmark-mcp library exposes an MCP server allowing users to send emails, access email templates, and track campaigns using artificial intelligence (AI) assistants. As per the reports, postmark-mcp has been downloaded 1,500 times weekly and integrated into hundreds of developer workflows.
Vulnerability Description
The flaw originates from postmark-mcp version 1.0.16, which was released on September 17, 2025. The new version was modified to include a hidden backdoor that adds a BCC to every outgoing email, sending a copy silently to an external address without the sender’s knowledge.
The malicious package is a replica of the legitimate library, with the only difference being a one-line modification. The modification automatically BCCs all emails sent through the MCP server to phan@giftshop[.]club, thereby putting sensitive communications at risk of exposure.
Indicators of Compromise (IOCs)
- The package name: postmark-mcp on npm
- Malicious versions: ≥ 1.0.16
- Exfiltration pattern: The BCC field points to ph**@******op.club or the domain giftshop.club
- The npm publisher account “phanpak” is noted to own multiple other packages (31 others), which could become a future risk.
Mitigation
The maintainer deleted the malicious package from npm. Users must uninstall the package from their workflows, reset any credentials that might have been exposed via email, and inspect email logs for BCC activity linked to the reported domain.
Qualys Detection
Qualys customers can scan their devices with QID 5005590 to detect vulnerable assets.
Note: QID 5005590 are available via SwCA, which needs to be enabled.
Please continue to follow Qualys Threat Protection for more coverage of the latest vulnerabilities.
References
https://github.com/ActiveCampaign/postmark-mcp
https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-theft
https://snyk.io/blog/malicious-mcp-server-on-npm-postmark-mcp-harvests-emails/