TLDR: A widely used AI agent server, Postmark MCP Server, has been found to contain malicious code in versions 1.0.16 and later, secretly exfiltrating user emails to the developer’s personal server. The vulnerability, identified by Koi Security, highlights a systemic flaw in the Model Context Protocol (MCP) ecosystem, potentially affecting hundreds of organizations and thousands of emails daily.
Infosecurity Magazine reported on September 25, 2025, a significant cybersecurity threat involving a popular AI agent server, the Postmark MCP Server, which has been implicated in stealing user emails. According to a report by Koi Security, versions 1.0.16 and later of the server, developed by an independent software engineer known as @phanpak from Paris, contain malicious code that ‘quietly copies every email to the developer’s personal server.’
The Postmark MCP Server, an implementation for Postmark email services, has seen considerable adoption, with over 1,500 weekly downloads on npm, a prominent package manager for JavaScript. It has been integrated into hundreds of developer workflows, making the potential impact widespread. Koi Security estimates that approximately 300 organizations may have been affected, with an alarming 3,000 to 15,000 emails potentially being sent to the malicious developer’s server every day.
The Model Context Protocol (MCP), an open standard introduced by Anthropic in November 2024, is designed to manage and leverage contextual information for AI agents, often used for tasks like email sorting and triaging. Developers grant these MCP servers access to their emails, a critical trust point that was exploited in this incident.
Researchers warn that this could be the ‘first case of a malicious MCP server found in the wild,’ underscoring a broader systemic vulnerability within the MCP ecosystem. They argue that the lack of a built-in security model allows malicious behavior to persist undetected for extended periods, as organizations often grant powerful, automated access to tools from unverified developers.
Also Read:
- Salesforce AgentForce AI Platform Hit by ‘ForcedLeak’ Vulnerability, Exposing CRM Data
- Generative AI Tools Linked to Widespread Sensitive Data Exposure in Early 2025
Users of Postmark MCP Server version 1.0.16 or later are strongly advised to ‘remove it immediately and rotate any credentials that may have been exposed through email,’ as recommended by researcher Dardikman. Infosecurity Magazine attempted to contact @phanpak for comment but received no response.
