Fake Postmark MCP Server Supply Chain Attack

Key Takeaways

• Malicious MCP server impersonated a trusted email provider
• Server silently copied outbound emails using hidden BCC behavior
• Incident involved confirmed data exfiltration
• Attack targeted AI-assisted workflows using MCP integrations
• Package was removed after discovery

Malicious MCP Server Silently Copied Emails

A malicious MCP server impersonating Postmark was used to intercept and copy outbound emails generated by AI-assisted workflows. By posing as a legitimate email service integration, the attacker was able to silently BCC messages to an external address, resulting in confirmed data exfiltration. The incident represents a real-world AI supply chain attack that abused trust in MCP-based integrations.

Source: BleepingComputer

What We Know

The incident was reported on September 25, 2025 following investigation into suspicious behavior associated with an MCP server advertised as a Postmark integration. According to reporting, the malicious server was distributed through a public repository and presented itself as a legitimate MCP-compatible service.

Once deployed, the server intercepted outbound emails sent through AI-assisted workflows and silently copied message content and metadata by adding hidden BCC recipients. Users were not notified of this behavior, and no authentication warnings were raised during integration.

The malicious MCP server was removed after discovery. Reporting confirms that real email data was exfiltrated, distinguishing this incident from purely theoretical vulnerabilities.

Source: BleepingComputer

How the Breach Happened

This incident occurred due to implicit trust in third-party MCP servers used within AI workflows. The malicious server exploited the expectation that MCP integrations behave as advertised and do not manipulate message content or routing.

By impersonating a trusted email service, the attacker inserted malicious logic that modified outgoing messages at runtime. Because the server operated within normal MCP communication patterns, the exfiltration was difficult to detect without inspecting outbound email headers or logs.

The breach highlights how AI workflows that rely on external MCP servers inherit supply chain risks similar to traditional SaaS integrations, but with less visibility and fewer safeguards.

Why It Matters

Email content often includes sensitive business data, personal information, and transactional records. Silent interception of outbound emails represents a serious privacy and compliance risk.

Because the incident involved confirmed data exfiltration, the business impact extends beyond potential risk into actual harm. Organizations using AI-assisted email workflows may have unknowingly leaked sensitive communications.

This incident demonstrates that AI supply chain attacks are not limited to code execution. Data theft through trusted AI integrations is an equally serious threat that requires dedicated controls.

PointGuard AI Perspective

This incident underscores the importance of visibility and control across AI integration points.

PointGuard AI helps organizations monitor AI-driven workflows and integrations, including how data is sent to external services. This visibility enables detection of unexpected data flows or anomalous behavior, such as silent duplication of outbound messages.

By enforcing policy-based controls on which services AI workflows are allowed to interact with, PointGuard AI reduces the risk of malicious or impersonated integrations being introduced.

Through continuous tracking of AI security incidents, PointGuard AI helps organizations identify emerging supply chain threats and strengthen trust in AI-enabled systems.

Source: AI Runtime Defense
Source: AI Supply Chain Security
Source: AI Security Incident Tracker

Incident Scorecard Details

Total AISSI Score: 8.2/10

Criticality = 8.5, Silent interception of sensitive communications, AISSI weighting: 25%
Propagation = 8.0, Distributed through public MCP integration channels, AISSI weighting: 20%
Exploitability = 7.5, Minimal user awareness required, AISSI weighting: 15%
Supply Chain = 8.5, Compromised trusted AI integration, AISSI weighting: 15%
Business Impact = 8.5, Confirmed data exfiltration and privacy exposure, AISSI weighting: 25%

Sources

• BleepingComputer, “Unofficial Postmark MCP npm silently stole users’ emails”
• The Register, “Postmark MCP impersonation led to silent email theft”