Unofficial Postmark MCP npm Package Silently Stole Users’ Emails – Security Warning

[johny899]

Have you ever installed an npm package and trusted it? Many of us have, and this time the trust was misplaced. A malicious library called Postmark MCP was discovered stealing users email addresses via one line of hidden code.

What Happened?​

It was almost indistinguishable from the Postmark MCP tool. It worked fine for 15 versions. But in version 1.0.16 the author inserted one line of code that routed every email address through a nefarious server at giftshop[.]club.

Emails can contain information such as:

• Password reset links
• Login codes (2FA)
• Bank information
• Private messages

So yes, this is a big deal.

How Many People Were Impacted?​

The bad version was hosted online for approximately a week. During that time, it reached around 1,500 downloaded copies. This may not seem like a lot, but it is plausible that thousands of emails might have been breached for every download.

Why Was This So Easy?​

These fake packages mirrored the actual package’s code and description. They felt valid and didn't trigger suspicion. In addition, since the MCP servers have elevated access permissions, this attack was even worse.

What Should You Do?​

If you installed this npm package:

• Uninstall it immediately
• Change the passwords and API keys you used with it
• Monitor your servers for any unusual behavior
• Perform a safe test of new npm packages before deploying them to production

My view​

I'll be honest, I have used npm packages without verifying them before too. It is easy and convenient to do; however, it is also very dangerous. This incident showed how one line of code can lead to a disaster.

Final thought​

This fake Postmark MCP npm package incident has been a good reminder; you cannot trust npm packages blindly, no matter how legit they look. The next time you are about to run npm install, stop and consider: "Do I really know the true origin of this npm package?"