Código HTML do Conteúdo
Post: One added line of code and thousands of companies hacked. This is the magic of the Supply Chain!
<div>
<div data-element_type="widget" data-id="914a4f5" data-widget_type="shortcode.default">
<div>
<div>
<p><span><b><a href="https://www.redhotcyber.com/post/author/redazione/" target="_blank">Redazione RHC</a>:27 September 2025 08:50</b></span></p>
<p>Developers learned to trust the tools that help their AI assistants handle routine tasks, from sending emails to using databases. But this trust proved vulnerable: <strong>the postmark-mcp package, downloaded over 1,500 times a week since version 1.0.16, silently forwarded copies of all emails to an external server owned by its author</strong> . Internal company correspondence, invoices, passwords, and confidential documents were at risk.</p>
<p>The incident demonstrated for the first time that <strong>MCP servers can be used as a full-fledged conduit for supply chain attacks</strong> . Researchers at Koi Security <a href="https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-theft" target="_blank">identified the issue</a> when their system detected a sudden change in packet behavior.</p>
<p>An investigation revealed that <strong>the developer had added a single line of code that automatically inserted a hidden BCC address and sent all messages to giftshop.club</strong> . Fifteen releases had previously worked flawlessly, and the tool had become part of the workflows of hundreds of organizations.</p>
<p>The particular danger of the situation is underscored by the seemingly trustworthy nature of the author: <em>a public GitHub profile, real data, and projects with active histories</em> . For months, users had no reason to doubt its security. <strong>But the update turned a familiar tool into a leak mechanism</strong> . A classic hijacking played a key role: <em>npm added a clone of the Postmark repository, adding only a single line about forwarding.</em></p>
<p>The extent of the damage is difficult to estimate, but estimates suggest that <strong>hundreds of organizations were unknowingly sending thousands of emails a day to an external server.</strong> No exploits or sophisticated techniques were used: <em>the administrators themselves granted full access to the AI assistants and allowed the new server to operate without restrictions.</em></p>
<p><strong>MCP tools have “god-mode” permissions: they can send emails, connect to databases, execute commands, and send API requests</strong> . However, they are not subject to security checks or vendor verification and are not included in the asset inventory. These modules remain invisible to corporate security.</p>
<p>This incident highlighted a fundamental flaw in the MCP architecture. Unlike regular packets, these are specifically designed for autonomous use by AI assistants. Machines are unable to recognize malicious code: to them, sending an email with an additional address appears to be a successful command execution. Therefore, a simple backdoor remains undetected and active until discovered.</p>
<p><strong>Koi specialists recommend removing postmark-mcp version 1.0.16 and later,</strong> changing any credentials sent via email, and carefully checking logs for forwarding to giftshop.club. Furthermore, the company recommends <strong>reconsidering the use of MCP servers in general:</strong> <em>without independent verification, these tools become a primary attack vector for businesses.</em></p>
<p>Indicators of compromise include the postmark-mcp package version 1.0.16 or later, the phan@giftshop[.]club address, and the giftshop[.]club domain. Verification is possible by analyzing email headers for hidden BCCs, verifying MCP configurations, and verifying npm installations.</p>
<div>
<div>
<div>
<div>
<p><b><span>Redazione</span></b><br /><span>The editorial team of Red Hot Cyber consists of a group of individuals and anonymous sources who actively collaborate to provide early information and news on cybersecurity and computing in general.</span></p>
<p><a href="https://www.redhotcyber.com/post/author/redazione/" target="_blank">Lista degli articoli</a></p>
</div>
</div>
</div>
</div>
</div>
</div>
</div></div>