Código HTML do Conteúdo
Post: Unofficial Postmark MCP npm silently stole users' emails - Against Invaders - Notícias de CyberSecurity para humanos.
<div>
<div>
<p>A npm package copyingthe official ‘postmark-mcp’ project on GitHub turned bad with the latest update that added a single line of code to exfiltrateall its users’ email communication.</p>
<p>Published by a legitimate-looking developer, the malicious package was a perfect replica of the authentic one in terms of code and description, appearing as an official port on npm for 15 iterations.</p>
<p>Model Context Protocol (MCP) is an open standard that allows AI assistants to interface with external tools, APIs, and databases in a structured, predefined, and secure manner.</p>
<p>Postmark is an email delivery platform, and Postmark MCP is the MCP server that exposes Postmark’s functionality to AI assistants, letting them send emails on behalf of the user or app.</p>
<p>As <a href="https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-theft" rel="nofollow noopener" target="_blank">discovered by Koi Security</a> researchers, the malicious package on npm was clean in all versions through1.0.15, but in the 1.0.16 release, it added a line that forwarded all user emails to an external address at giftshop[.]club linked to the same developer.</p>
<div>
<p><img decoding="async" alt="Line added on the package's code to BCC the publisher" height="512" src="https://datalake.azaeo.com/wp-content/uploads/2025/09/bccline.jpg" width="900 /></div>
<p>This extremely risky functionality may have exposed personal sensitive communications, password reset requests, two-factor authentication codes, financial information, and even customer details.</p>
<p>The malicious version on npm was available for a week and recorded around 1,500 downloads. By Koi Security's estimations, the fake package might have exfiltrated thousands of emails from unsuspecting users.</p>
<p>For those who downloaded <em>postmark-mcp</em> from npm, it is recommended to remove it immediately and rotate any potentiallyexposed credentials. Also, audit all MCP servers in use and monitor them for suspicious activity.</p>
<p>BleepingComputer has contacted the npm package publisher to ask about Koi Security’s findings, but we received no reply. The following day, the developer removed the malicious package from npm.</p>
<div style="><br />
<img decoding="async" alt="The impersonator package on npm" height="600" src="https://datalake.azaeo.com/wp-content/uploads/2025/09/NPM.jpg" width="913 /></div>
<p>Koi Security’s report highlights a broken security model where servers are implemented in critical environments without oversight or sandboxing, and AI assistants executing malicious commands without filtering for malicious behavior.</p>
<p>Because MCPs run with very high privileges, any <a href=">vulnerability or <a href="https://www.bleepingcomputer.com/news/security/asana-warns-mcp-ai-feature-exposed-customer-data-to-other-orgs/" rel="nofollow noopener" target="_blank">misconfiguration</a>carries a significant risk.</p>
<p>Users should verify the source of the project and make sure it’s an official repository, review the source code and changelogs, and look carefully for changes in every update.</p>
<p>Before using a new version in production, run MCP servers in isolated containers or sandboxes and monitor their behavior for suspicious actions like data exfiltration or unauthorized communication.</p>
</div>
</div></div>