Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Unofficial postmark-mcp npm package email leak

Data Leak
First reported
Last updated
Happening score
H score 24
3 unique sources, 3 articles

Summary

Hide ▲

The unofficial postmark-mcp npm package exfiltrated user email traffic in 1.0.16, creating a concrete data leak risk for npm users. The malicious update forwarded emails to giftshop[.]club, while the package had already passed as a near-clone of the official project through 15 iterations. The exposed content may have included password reset requests, two-factor authentication codes, financial information, and customer details. The malicious version stayed online for about a week, recorded around 1,500 downloads, and was later removed.

Related Happenings

Shai-Hulud worm clone activity on NPM

Malware Activity
First: 18.05.2026 12:45 Last: 18.05.2026 12:45 Sources 1

About this happening: The **Shai-Hulud** malware activity has continued to evolve across the **npm supply chain** and related developer ecosystems. It first infected **npm packages** in **September 202...

Open Happening

Mini Shai-Hulud npm supply-chain malware wave

Malware Activity
First: 12.05.2026 14:07 Last: 12.05.2026 14:07 Sources 1

About this happening: The **Sha1-Hulud** npm supply-chain campaign is a fresh **second wave** of **Shai-Hulud**-style activity that has compromised **hundreds of npm packages**. The malware runs during...

Open Happening

Claude Code leak GitHub Vidar lure campaign

Campaign
First: 02.04.2026 23:30 Last: 02.04.2026 23:30 Sources 1

About this happening: A **malicious GitHub repository campaign** is abusing the **Claude Code leak** to deliver **Vidar** to users searching for leaked code. The lure uses a **fake leak**, **search-eng...

Open Happening

Claude Code trojanized HTTP client delivery via npm

Malware Activity
First: 01.04.2026 09:12 Last: 01.04.2026 09:12 Sources 1

About this happening: The **npm** distribution path for **Claude Code** exposed some users to a **trojanized HTTP client**, creating a possible **cross-platform remote access trojan** delivery route. S...

Open Happening

SmartLoader trojanized Oura MCP Server delivery of StealC

Malware Activity
First: 17.02.2026 14:42 Last: 17.02.2026 14:42 Sources 1

About this happening: The **SmartLoader** operation is now distributing a **trojanized Oura MCP Server** to drop **StealC**, creating a supply-chain path to steal developer secrets. The rogue package i...

Open Happening

Timeline

  1. 25.09.2025 23:23 4 articles · 8mo ago

    Malicious postmark-mcp npm package disclosed

    Initial Disclosure

    Koi Security identified a malicious postmark-mcp npm package that copied the official Postmark MCP project used to expose Postmark email delivery functions to AI assistants, stayed clean through version 1.0.15, and in version 1.0.16 added a single line that forwarded users' email communications to giftshop[.]club. The package had appeared as an official port for 15 iterations, was available for about a week, recorded around 1,500 downloads, and may have exposed sensitive email content including password reset requests, two-factor authentication codes, financial information, customer details, and thousands of emails from users of the affected package.

    Show sources
    Open in new tab
  2. 25.09.2025 23:23 1 articles · 8mo ago

    Malicious postmark-mcp npm package removed

    Mitigation Patch Update

    The developer removed the malicious postmark-mcp package from npm after the public findings, ending the availability of the version that forwarded users' email communications to an external address.

    Show sources
    Open in new tab