Cybersecurity firm Koi Security has identified a malicious version of an npm package used for automated email handling, which was silently forwarding outbound messages to an external domain controlled by the developer.
The package, named postmark-mcp, is intended to allow applications—often AI assistants—to send emails through Postmark’s transactional email API. Starting with version 1.0.16, the package was modified to include a blind carbon copy (BCC) field that directed all sent emails to an address at giftshop.club, a domain owned by the same developer.
The package was not initially malicious. Versions 1.0.0 through 1.0.15 performed as expected and gained trust among developers. In version 1.0.16, a single line of code was added to include a hardcoded BCC address in every outbound message. No other changes were made.
Koi researchers noted that the malicious version was published under the same name as the legitimate Postmark MCP repository but maintained separately by an unaffiliated developer. This technique, commonly known as repository impersonation, allowed the attacker to leverage existing trust in the Postmark brand.
The domain receiving the forwarded emails—giftshop.club—is associated with other web services operated by the same individual. At the time of discovery, there was no public response from the developer, although the package was later deleted from npm. Installed copies, however, remain active unless manually removed.
Estimated Impact
Based on download data and usage analysis, Koi estimates:
- Over 1,500 downloads per week
- Approx. 300 organizations may have been actively using the affected version
- Estimated 3 to 15 thousand emails per day were exfiltrated
Affected messages may have included password reset links, invoices, internal notifications, and other sensitive information.
Koi identified version 1.0.16 and later of the postmark-mcp package as containing the backdoor. The package added a blind carbon copy (BCC) to all outbound emails, directing them to [email protected]. The receiving domain, giftshop.club, is registered to the same developer who published the package. The malicious behavior was limited to these versions and was not present in earlier releases.
Attempts to contact the package author received no reply. Although the package has been removed from npm, Koi emphasizes that this action does not disable the software for users who already installed it. Unless specifically uninstalled, affected systems will continue forwarding emails to the attacker’s server.
To review full technical details, including mitigation steps and code-level analysis, check out Koi Security’s full report here.
Leave a Reply