A malicious npm package, disguised as the official Postmark MCP Server, has been exfiltrating user emails to an external server. The deceptive “postmark-mcp” module, versions 1.0.0 to 1.0.15, built trust before inserting a backdoor in version 1.0.16. This hidden payload silently BCC’d every outgoing email to the attacker’s domain. By mimicking the authentic Postmark naming and conventions, the attacker evaded detection, allowing developers to unknowingly install a trojanized dependency.
Postmark emphasizes that their legitimate API and SDKs remain untainted, urging users to uninstall “postmark-mcp” immediately, scrutinize SMTP logs for suspicious activity, and change any exposed credentials. This incident underscores the necessity of rigorously vetting third-party packages to secure your email infrastructure. For verified resources, consult the official Postmark documentation and GitHub repository. Stay vigilant by following us for daily cybersecurity updates on Google News, LinkedIn, and X.
Source link
