"These MCP servers run with the same privileges as the AI assistants themselves - full email access, database connections, API permissions - yet they don't appear in any asset inventory, skip vendor risk assessments, and bypass every security control from DLP to email gateways,"
"By the time someone realizes their AI assistant has been quietly BCCing emails to an external server for months, the damage is already catastrophic."
"We're talking about 3,000 to 15,000 emails every day flowing straight to giftshop.club. And the truly messed up part? The developer didn't hack anything. Didn't exploit a zero-day. Didn't use some sophisticated attack vector."
"We literally handed him the keys, said 'here, run this code with full permissions', and let our AI assistants use it hundreds of times a day."
A malicious Model Context Protocol (MCP) server was found copying all email traffic to an external server after a modified Postmark MCP package added a BCC line. The Postmark MCP Server package is downloaded about 1,500 times per week and is embedded in hundreds of developer workflows. Since version 1.0.16 the modified package recorded invoices, internal memos, and confidential documents and forwarded them externally. MCP servers run with full email, database, and API privileges that often escape asset inventories and security controls. The attack funneled an estimated 3,000–15,000 emails per day to giftshop.club, highlighting endpoint supply-chain risks.
Read at IT Pro
Unable to calculate read time
Collection
[
|
...
]