The Register
A fake npm package posing as Postmark's MCP (Model Context Protocol) server silently stole potentially thousands of emails a day by adding a single line of code that secretly copied outgoing messages to an attacker-controlled address.
In a blog post late last week, Postmark warned users about "postmark-mcp" on npm impersonating the email delivery service and stealing its users' emails.
"We want to be crystal clear: Postmark had absolutely nothing to do with this package or the malicious activity," the company said on September 25. "Here's what happened: A malicious actor created a fake package on npm impersonating our name, built trust over 15 versions, then added a backdoor in version 1.0.16 that secretly BCC'd emails to an external server."
If you downloaded the fake package, Postmark
Bozeman Daily Chronicle
Fast Company Technology
Detroit News
Catholic News Agency
PC World
The Motley Fool
The List
Bossip Celebrity
NBC Bay Area Entertainment