A single line of malicious code hidden in a counterfeit npm package has exposed potentially thousands of sensitive emails every day, raising fresh alarms about software supply-chain security.
The package, uploaded to npm under the name postmark-mcp, impersonated the legitimate Model Context Protocol (MCP) server of email delivery service Postmark.
According to investigators at Koi Security, the attacker copied code from Postmark’s official GitHub repository, inserted a backdoor that BCC’d every outgoing message to an external email address, and released it on npm.
The deception lasted through 15 versions of the package, with the backdoor introduced in version 1.0.16. During its brief circulation, it was downloaded approximately 1,500 times in a week.
Koi Security estimates that at least 300 organisations may have integrated it into their workflows, unknowingly diverting between 3,000 and 15,000 emails daily to the attacker’s server. These could have included password resets, authentication codes, invoices, financial data, and internal business correspondence.
Postmark confirmed the malicious package was unrelated to its own operations, stressing that its infrastructure remained uncompromised. In an advisory, the company urged anyone who had installed the npm module to delete it immediately, review email logs for unusual traffic, and reset credentials transmitted by email.&n
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
This article has been indexed from CySecurity News – Latest Information Security and Hacking Incidents
Read the original article: