A malicious npm package impersonating Postmark’s MCP server secretly stole thousands of emails daily by adding a backdoor line of code. This incident highlights the security risks in open-source ecosystems and the importance of vigilant package management. #npm #Postmark #supplychainattack
Keypoints
- A fake npm package named “postmark-mcp” impersonated Postmark’s MCP server to steal emails.
- The malicious package was downloaded approximately 1,500 times in one week, affecting hundreds of organizations.
- The backdoor copied outgoing emails to an external address, potentially exposing sensitive information.
- The incident underscores the vulnerabilities within open source repositories and MCP ecosystems.
- GitHub plans to enhance security by reducing token lifetimes and enforcing two-factor authentication for package publishing.
Read More: https://www.theregister.com/2025/09/29/postmark_mcp_server_code_hijacked/