However, deleting the package won’t remove it from the machines it already runs on. While it is unclear how many developers actually downloaded the version, every single one of the “average 1500 weekly” downloads is compromised–the factor that likely motivated the attacker’s swift withdrawal of the package.
To mitigate damage, Koi recommends immediate removal of postmark-mcp (version 1.0.16), rotation of credentials possibly leaked via email, and thorough audits of all MCPs in use.
“These MCP servers run with the same privileges as the AI assistants themselves — full email access, database connections, API permissions — yet they don’t appear in any asset inventory, skip vendor risk assessments, and bypass every security control from DLP to email gateways,” Dardikman added. “By the time someone realizes their AI assistant has been quietly Bcc:ing emails to an external server for months, the damage is already catastrophic.”
Security practitioners have been skeptical of MCP ever since Claude’s creator, Anthropic, introduced it. Over time, the protocol has hit several bumps, with vendors like Anthropic and Asana reporting critical flaws in their MCP implementations.
