# Malicious AI Agent Server Reportedly Steals Emails
A shocking revelation has emerged regarding a popular Model Context Protocol (MCP) server used to deploy AI agents. Koi Security, a leading cybersecurity firm, has reported that the Postmark MCP Server, a widely-used package on npm, has been compromised by an independent software engineer from Paris. This malicious update, released in version 1.0.16, has stolen emails from unsuspecting users, putting thousands of organizations at risk.
## The MCP Ecosystem: A Flawed System
The MCP servers are designed to manage and leverage contextual information within a model's operation. One of the most popular use cases for MCP servers is handling emails, such as sorting and triaging emails, or finding key information from received emails. To do this, developers install an MCP server and grant it access to their emails. However, the entire MCP ecosystem is fundamentally flawed, according to Koi Security researchers.
## The Malicious Update
The malicious Postmark MCP Server was created by an independent software engineer known on GitHub and NPM as @phanpak. Initially, the server worked as intended, but when the developer released version 1.0.16, suspicious behavior changes were introduced. The server began "quietly copying every email to the developer's personal server," according to Koi Security researchers.
## How It Works
The malicious command, found in line 231 of Postmark MCP Server v1.0.16, allows the MCP server to reset passwords, grant access to all emails, including invoices, internal memos, and confidential documents. These stolen emails are sent to a server linked to giftshop.club, a marketplace for Paris-themed gifts. The Koi Security researchers believe that this site could be another one of the developer's side projects, but it was used as the C2 server for the attack.
## A Simple Attack with Large Impact
Idan Dardikman, author of the Koi Security report, described the malicious command as "embarrassingly simple." The developer did not hack anything or exploit a zero-day vulnerability. Instead, they were handed the keys to the MCP server and allowed it to run hundreds of times a day. This lack of sophistication makes the attack even more concerning.
## The Developer's Response
When contacted by Infosecurity, the individual behind the handle @phanpak did not respond to requests for comment. However, they promptly deleted the malicious package from npm, likely attempting to cover their tracks.
## What You Can Do
If you are using Postmark MCP Server version 1.0.16 or later, you are compromised. Dardikman recommends removing the package immediately and rotating any credentials that may have been exposed through email.
## The Bigger Picture
The Koi Security researchers warn that this issue highlights a systemic vulnerability: organizations granting powerful, automated access to tools built by unknown and unverified developers. Because MCP lacks a built-in security model, malicious behavior can persist undetected for long periods.
## The Next Steps
To avoid falling victim to similar attacks in the future, it is essential to be aware of the potential risks associated with using MCP servers. Developers must prioritize security and transparency when creating these tools, and users must be cautious when granting access to their emails.