First malicious MCP server for AI found

Security researchers have spotted what they think is the world's first malicious model context protocol (MCP) server, made available as open source on Microsoft owned code repository GitHub.

MCP was created by Anthropic, with researchers criticising the protocol for its optional security approach and vulnerabilities.

It is designed to provide a standardised protocol for connecting AI applications to external data sources, tools, and APIs.

This is to eliminate the need for custom integrations between each AI system and each external resource.

Now, endpoint security vendor Koi said it had found a malicious version of the postmark-mcp package, used for sending email through the Postmark service, on GitHub,

Fifteen versions of postmark-mcp were published until version 1.0.16 added a single line of code that forwards emails via blind carbon copy (BCC) to an account that appears to be hosted in France. 

The original package is maintained on GitHub by ActiveCampaign, the organisation behind Postmark, but Koi believes that the attacker took the legitimate code repository, added the malicious BCC line, and published it to npm.

ActiveCampaign has confirmed the incident, saying it had nothing to do with the malicious postmark-mcp package.

"A malicious actor created a fake package on npm impersonating our name, built trust over 15 versions, then added a backdoor in version 1.0.16 that secretly BCC'd emails to an external server," ActiveCampaign said.

The Postmark team advised anyone using the fake package to remove it immediately from their systems, check email logs and to rotate credentials that may have been sent via email during the period of compromise.

Koi said the fake Postmark-mcp had 1500 weekly downloads, and its conservative estimates suggested 3000 to 15,000 emails a day were forwarded to the attacker.

The first version of the MCP server was first published on September 15, with the malicious code added to the package two days later.

Koi suggested that the incident shows the entire MCP model is fundamentally broken.

"We're handing god-mode permissions to tools built by people we don't know, can't verify, and have no reason to trust," Koi researcher Idan Dardikman wrote.