mcp · 2025
postmark-mcp
A malicious version of an MCP server (postmark-mcp) was documented in the wild in September 2025. The compromised release silently BCC'd every outbound email to an attacker-controlled address.
What happened
In September 2025, researchers documented an actively malicious version of an MCP (Model Context Protocol) server named postmark-mcp in the wild. The MCP wrapped the Postmark transactional email API, giving AI agents a tool for sending mail. The compromised release added a silent BCC to an attacker-controlled address on every outbound send, exfiltrating the full content of any email the agent produced. Recovery links, invoices, customer PII, internal notifications.
Download counts on the compromised package were modest (roughly 1,500), and that is the wrong metric to lead with. The significance is the pattern: this is an in-the-wild MCP compromise, on a surface that most inventory tools do not currently walk. Anyone shipping agent workflows in production now has a live example of the failure mode.
How it propagated
The MCP server was installed by developers wiring Claude Desktop, Cursor,
Codex, or similar agent hosts against Postmark. Config lives in
.mcp.json, claude_desktop_config.json, or the equivalent per-tool file
inside the developer's home directory. Once configured, the MCP is loaded
on agent startup. No additional prompt, no user gesture. It inherits
whatever Postmark API scope the developer granted.
What Drig sees
The mcp collector walks known MCP config paths for Claude Desktop, Cursor,
Codex, Windsurf, and Continue, plus generic .mcp.json locations under
$HOME. It streams config path, MCP server name, and version pin.
Never the environment values, which the ingest schema explicitly rejects.
The signed catalog names the compromised versions of postmark-mcp;
retro-match flags exposed agent hosts in the console.
Rotation checklist
- Remove the flagged MCP entry from every
.mcp.jsonand equivalent config. - Rotate Postmark API tokens on every account the MCP could access.
- Audit
Sentmailboxes tied to those tokens for the BCC pattern during the exposure window. - Review any downstream identity systems for suspicious password-reset flows triggered against captured recovery links.
- Force IdP re-auth for the identities that owned the tokens.
MCP is a surface the EDR-adjacent tools do not currently walk. It is one of the reasons Sekeye's collector list runs to nine.