"God-Mode" in the Hands of a Hacker: How One Line of Code Compromised Hundreds of Companies
A simple tool for AI assistants turned out to be the most insidious backdoor of the year.
A simple tool for AI assistants turned out to be the most insidious backdoor of the year.
Developers have grown to trust tools that help their AI assistants handle routine tasks—from sending emails to working with databases. But this trust proved to be a vulnerability: the postmark-mcp package, downloaded over 1,500 times per week, starting from version 1.0.16, was stealthily forwarding copies of all emails to an external server belonging to its author. The internal communications of companies, invoices, passwords, and confidential documents were put at risk.
This incident is the first to demonstrate that MCP servers can be used as a full-fledged channel for software supply chain attacks. Researchers from Koi Security flagged the issue when their system detected a sharp change in the package's behavior. An investigation revealed that the developer had added just one line of code that automatically inserted a hidden BCC address and sent all messages to giftshop.club. Prior to this, fifteen releases had worked flawlessly, and the tool had become part of the workflows of hundreds of organizations.
The situation is particularly dangerous because the author appeared highly trustworthy: an open GitHub profile, real personal data, and projects with an active history. For months, users had no reason to doubt its security. But the update turned a familiar tool into a data exfiltration mechanism. A classic case of typosquatting played a key role: a clone of the Postmark repository appeared on npm, with just one line added to enable forwarding.
The full scale of the damage is difficult to assess, but rough estimates suggest hundreds of organizations unknowingly sent thousands of emails per day to the external server. Notably, no exploits or complex techniques were used—administrators themselves had given their AI assistants full access and allowed the new server to operate without restrictions.
MCP tools possess "god-mode" level permissions: they can send emails, connect to databases, execute commands, and make API requests. Yet, they undergo neither security audits nor vendor checks and are often absent from asset inventories. For corporate defense, such modules remain invisible.
According to the researchers, the attack model was simple: first, a useful product is created; then, in one of the updates, minimal code for data theft is introduced, followed by covert data collection. When the researchers tried to contact the developer, they received no response, and the package was soon deleted from npm. However, deletion doesn't solve the problem: all previously installed versions continue to work and forward mail. This means many companies are still compromised and may be unaware of the leak.
This case highlights a fundamental flaw in the MCP architecture. Unlike regular packages, they are specifically designed for autonomous use by AI assistants. The machine cannot recognize malicious code: for it, sending an email with an additional address looks like a successfully executed command. Thus, a simple backdoor remains undetected and operates until someone discovers it.
Koi specialists recommend removing postmark-mcp version 1.0.16 and above, rotating any credentials that might have been transmitted via email, and thoroughly checking logs for any forwarding to giftshop.club. Furthermore, the company advises reconsidering the use of MCP servers in general: without independent verification, such tools become a primary attack vector for enterprises.
Indicators of compromise include the postmark-mcp package version 1.0.16 and newer, the address phan@giftshop[.]club, and the domain giftshop[.]club. Verification is possible by analyzing email headers for hidden BCCs, auditing MCP configurations, and npm installations.
