A malicious npm package deal masquerading because the official Postmark MCP Server has been exfiltrating consumer emails to an exterior server.
This faux “postmark-mcp” module, out there on npm from variations 1.0.0 by means of 1.0.15, constructed belief over 15 incremental releases earlier than dropping a backdoor in model 1.0.16.
The stealthy payload consisted of a single line of code that silently BCC’d each outbound e mail to the attacker’s area.
Postmark-mcp BCC Electronic mail Exfiltration Assault
Based on Postmark the attacker printed the “postmark-mcp” package deal below the guise of ActiveCampaign’s Postmark MCP Server library.
By aligning naming, versioning, and package deal description with reputable Postmark conventions, the malicious actor evaded cursory scrutiny.
Builders integrating MCP companies by way of npm set up postmark-mcp unknowingly pulled in a trojanized dependency. In model 1.0.16, a lone line inserted into the primary transport script added unauthorized BCC performance:
This code snippet hooks into the prevailing Postmark consumer workflow, leveraging the addHeader technique to duplicate outbound emails.
As a result of the malicious line is syntactically innocuous and embedded alongside reputable header setup logic, it escaped discover in code evaluations and automatic safety scans.
Hundreds of e mail messages exchanged between builders and their customers had been silently forwarded to the attacker’s server.
Though the reputable Postmark API and official SDKs stay uncompromised, organizations counting on unverified third-party packages might have suffered unauthorized information leakage.
Postmark urges all customers to right away:
Uninstall “postmark-mcp” out of your initiatives:
Study SMTP logs and Postmark observe occasions for suspicious BCC operations or sudden API calls.
Change any credentials or tokens transmitted throughout the compromise window to stop additional unauthorized entry.
Postmark reaffirms that it has by no means printed a “postmark-mcp” library on npm. The official packages and SDKs are listed within the Postmark documentation and GitHub repository.
Customers can confirm package deal authenticity by checking the postmark and postmark.js libraries maintained at github.com/ActiveCampaign/postmark and consulting the API docs at Postmark’s developer portal.
This incident highlights the essential significance of vetting third-party dependencies. Integrating solely formally documented libraries ensures that your e mail infrastructure stays safe.
Comply with us on Google Information, LinkedIn, and X for every day cybersecurity updates. Contact us to function your tales.
