Clean for 15 Versions. Version 1.0.16 Stole Your Inbox.
postmark-mcp published 15 clean versions. Version 1.0.16 added one BCC line that forwarded 3,000-15,000 emails per day to [email protected]. Plus: the SANDWORM_MODE cluster -- 19 typosquatted npm packages stealing SSH keys.
The Attack
postmark-mcp is an MCP server that integrates with the Postmark email API. It lets AI agents send and manage emails. For 15 versions -- from 1.0.1 through 1.0.15 -- it was clean. Standard email API wrapper. No suspicious behavior.
Version 1.0.16, published in March 2026, added one line of code: a BCC field on every outgoing email, forwarding a copy to `[email protected]`. If you were using postmark-mcp to send emails through your AI agent, every email -- business correspondence, customer data, internal communications -- was being silently forwarded to an attacker-controlled inbox.
Scale of Impact
Postmark handles transactional email. Users of postmark-mcp are typically sending automated notifications, password resets, invoices, and business communications. Based on Postmark usage patterns, a single integration handles between 3,000 and 15,000 emails per day. Every one of those emails was duplicated to the attacker. The BCC field is invisible to the recipient -- the sender sees no indication that their email was forwarded.
Why Existing Tools Missed It
npm audit checks dependency vulnerabilities. It does not inspect application logic for behavioral changes between versions. GitHub Dependabot watches for known CVEs. A novel BCC injection has no CVE. Code review would catch it -- if anyone reviews the diff of every MCP server update. In practice, MCP servers auto-update, and nobody reads the changelogs.
ATR rule ATR-SC-003 (supply chain behavioral change detection) would flag this: it detects new network-adjacent operations (email sending, HTTP requests, WebSocket connections) added between versions. The BCC insertion is a modification to an existing network operation that changes the recipient set -- exactly the pattern the rule is designed to catch.
SANDWORM_MODE: The Typosquatting Cluster
While investigating postmark-mcp, we discovered a coordinated typosquatting campaign targeting the MCP ecosystem. We call it SANDWORM_MODE (no relation to the APT group -- the name comes from internal tracking). 19 npm packages published within a 48-hour window: - `claud-code` (targeting `claude-code`) - `cloude-code` (targeting `claude-code`) - `opencraw` (targeting `openclaw`) - `mcp-servr` (targeting `mcp-server`) - Plus 15 more variations of popular MCP package names
Every package in the cluster followed the same pattern: minimal functionality (often just re-exporting the legitimate package), plus a postinstall script that harvested `~/.ssh/id_rsa`, `~/.aws/credentials`, and all environment variables, then POSTed them to a Cloudflare Workers endpoint. The exfiltration was Base64-encoded and sent as a "telemetry" payload to a domain that looked like a legitimate analytics service.
Timeline
The SANDWORM_MODE packages were live on npm for between 6 and 43 hours before removal. Download counts ranged from 12 to 847 per package. Total estimated installations across all 19 packages: approximately 4,200. Each installation potentially compromised SSH keys and cloud credentials. If you installed any package matching these names, rotate your SSH keys and AWS credentials immediately.
Lessons
Supply chain attacks on MCP are not theoretical. They are happening now. The attack model is identical to what we saw in npm circa 2018-2021 (event-stream, ua-parser-js, colors/faker), but the impact is amplified because MCP skills run with broader system access. Defense requires three things: (1) pre-install scanning that checks tool behavior, not just dependency versions, (2) version diff analysis that flags behavioral changes between releases, and (3) typosquatting detection against a known-good package registry. ATR and PanGuard provide all three.