First Malicious MCP Server Discovered in Fake Postmark-MC NPM Package
1 min read
First Malicious MCP Server Discovered in Fake Postmark-MC
The team at Koi Security has reported a discovery that could mark a turning point in cybersecurity: the detection of the first malicious Model Context Protocol (MCP) server in the public domain.
The threat was hidden in an NPM package called postmark-mcp, disguised under the name of the legitimate Postmark Labs library.
What Happened?
According to Idan Dardikman, CTO of Koi Security, starting with version 1.0.16 the package began to forward all copies of emails to the attackerβs personal server.
This is the first-ever global detection of a malicious MCP server in action. For Koi Security, it highlights a growing concern:
βThe attack surface of supply chain endpoints is gradually becoming the largest threat area for enterprises.β
Scope of the Attack
The package was uploaded by a developer under the alias βfanfanpakβ on September 15, 2025. In just a few days, it had already surpassed 1.600 installations.
Following the publication of Koi Securityβs report, the library was removed from NPM. Still, the incident demonstrates how attackers are increasingly exploiting the software supply chain as an entry point.
Malicious use of MCP introduces several risks:
β’ Theft of sensitive data.
β’ Leakage of confidential information.
β’ Injection of additional malicious code into corporate processes.
Recommendations for Developers and Enterprises
Cybersecurity experts stress that MCP-based attacks are only beginning to emerge. They recommend:
β’ Always verifying the official source of packages.
β’ Carefully reviewing dependency updates.
β’ Implementing supply chain monitoring systems.
The takeaway is clear: as an emerging technology, MCP has already become an attractive target for attackers and requires heightened oversight.
Discover all attacks and leaks and check if your data has been compromised at:
π Breach House
π HaveIbeenransomed?