npm Package Turns Rogue: The Email Heist You Didn’t See Coming!

Beware of the postmark-mcp imposter on npm! A sneaky update was added, exfiltrating user emails to giftshop.club. With 1,500 downloads in a week, it’s a cautionary tale of code mimicry gone rogue. If you downloaded it, rotate credentials faster than a DJ spins records, and audit those MCP servers pronto!

3P
Published: September 25, 2025 8:32 pmAdded: September 25, 2025 at 1:47 pmAssembled by: The Editor
Pro Dashboard

Hot Take:

In the world of cybersecurity, it seems like even the most innocent-looking packages can turn into ticking time bombs. The ‘postmark-mcp’ incident is a reminder that just because it quacks like a duck, doesn’t mean it’s not a cyber-duck with a penchant for espionage. Always check your packages, or you might end up with a surprise gift from giftshop[.]club!

Key Points:

  • An NPM package masquerading as ‘postmark-mcp’ was hijacked to spy on users’ emails.
  • The package stayed clean for 15 iterations before adding a malicious line in version 1.0.16.
  • About 1,500 unsuspecting users downloaded the malicious package.
  • Koi Security discovered the breach, but the developer has since removed the package.
  • This incident highlights the importance of verifying package sources and monitoring for suspicious activity.

Membership Required

 You must be a member to access this content.

View Membership Levels
Already a member? Log in here
The Nimble Nerd
powered by the NSA, er,  GDPR Cookie Compliance
Confessional Booth of Our Digital Sins

Okay, deep breath, let's get this over with. In the grand act of digital self-sabotage, we've littered this site with cookies. Yep, we did that. Why? So your highness can have a 'premium' experience or whatever. These traitorous cookies hide in your browser, eagerly waiting to welcome you back like a guilty dog that's just chewed your favorite shoe. And, if that's not enough, they also tattle on which parts of our sad little corner of the web you obsess over. Feels dirty, doesn't it?