Risks persist even after package removal: Koi security researchers did not hear back when they reached out to the developer (attacker) of version 1.0.16 for clarification on the added ‘Bcc:’. Instead, they noticed the package promptly removed, even before they could report it to npm.However, deleting the package won’t remove it from the machines it already runs on. While it is unclear how many developers actually downloaded the version, every single one of the “average 1500 weekly” downloads is compromisedthe factor that likely motivated the attacker’s swift withdrawal of the package.To mitigate damage, Koi recommends immediate removal of postmark-mcp (version 1.0.16), rotation of credentials possibly leaked via email, and thorough audits of all MCPs in use.”These MCP servers run with the same privileges as the AI assistants themselves, full email access, database connections, API permissions, yet they don’t appear in any asset inventory, skip vendor risk assessments, and bypass every security control from DLP to email gateways,” Dardikman added. “By the time someone realizes their AI assistant has been quietly Bcc:ing emails to an external server for months, the damage is already catastrophic.”Security practitioners have been skeptical of MCP ever since Claude’s creator, Anthropic, introduced it. Over time, the protocol has hit several bumps, with vendors like Anthropic and Asana reporting critical flaws in their MCP implementations.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4064009/trust-in-mcp-takes-first-in-the-wild-hit-via-squatted-postmark-connector.html
