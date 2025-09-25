A popular Model Context Protocol (MCP) server used to deploy AI agents has turned malicious in one of its latest updates, according to Koi Security.

This engine, called Postmark MCP Server, has reached over 1500 weekly downloads on npm, a package manager for the JavaScript programming language, and has been integrated into hundreds of developer workflows.

MCP is an open standard which was introduced in November 2024 by Anthropic, the maker of several generative AI models and the AI chatbot Claude.

The MCP servers are used to manage and leverage contextual information within a model’s operation. One of the most popular use cases for MCP servers sees AI agents handle emails (e.g. sort and triage emails, find key information from received emails).



To do that, a software developer needs to install an MCP server and grant it access to their emails.

According to a Koi Security report, Postmark MCP Server was created by an independent software engineer from Paris, known on GitHub and NPM as @phanpak.

The npm package created by @phanpak worked as an MCP implementation for Postmark email services.

However, the Koi Security report, published on September 25, claimed that while this server was doing what it claimed to be doing – and only that – for the first fifteen versions, suspicious behavior changes were introduced when the developer released version 1.0.16.

Since this version, Postmark MCP Server been “quietly copying every email to the developer's personal server,” the Koi Security researchers argued.

This could be the first case of a malicious MCP server found in the wild, argued the researchers.

This malicious Postmark MCP server is distinct from another project with the same name, created by Jabal Torres, a technical marketing designer at Postmark.