42 comments

[ 3.1 ms ] story [ 65.0 ms ] thread
Bait article with an awful chatgpt generated image at the top to boot.
The new Outlook app keeps a copy of all your e-mails, including your e-mail credentials, at Microsoft servers. Microsoft is doing this for months to millions of people and nobody cares. Why a single developer copying a couple hundreds of e-mails is such a big deal?
Good thing i dont even wanna use any 3rd party libraries when using stuff like Postmark. Just old fashioned curl and POST requests to send emails with Postmark.

And i consider myself a lazy person. Using 3rd party libraries are just more of a headache and time sink sometimes

I understand the problem mentioned with mcp servers but this kind of attack could happen to any external dependency (like a smtp package) i guess
It's almost always npm packages. I know that's because npm is the most widely used package system and most motivating one for attackers. But still bad taste in my mouth.
> Somehow, we've all just accepted that it's totally normal to install tools from random strangers that can

Some people do this without thinking much about it. Not all of us. This is not normal nor ok.

Predicting this kind of attack was easy. Many of us probably did. (I did.) This doesn't make me feel much better though, since (a) I don't relish when lazy or ignorant people get pwned; (b) there are downstream effects on uninvolved people; and (c) there are classes of attacks that are not obvious to you or me.

Stay suspicious, stay safe. There are sharks in the water. With frikin' laser beams on their heads too.

It's pretty daring to do something like this. Something so brazen has a 100% chance of getting caught given enough time...

That said, installing any package is a liability, whether it's a library or an mcp server.

>Well, here's the thing not enough people talk about: we're giving these tools god-mode permissions. Tools built by people we've never met. People we have zero way to vet. And our AI assistants? We just... trust them. Completely.

I keep seeing this pattern in articles: "Did you know that if you point the gun at your foot and pull the trigger, yOu ShOoT yOuRsElF iN tHe FoOt??!? I couldn't believe it myself!! What a discovery!!1!"

Are people really this oblivious or are these articles written about non-issues just to have written 'content'?

The problem with foot guns is that you know it's a foot gun and I know it's a foot gun, but the underpaid social media manager at my bank might not and suddenly it's a problem for you and I.
It’s a bit easy for us to say, but general public doesn’t know about the details. For example, lots of people talk how algorithms designs your personal social media feed. But the same people don’t know what an “algorithm” means. It’s just a generic word for them. Which is fine, because not everyone is in our industry.
What security people don't understand is that if insurance policy costs more than "cost of disaster" times "probability of a disaster" then it's most likely not worth it. They personally enjoy doing security stuff, so they don't internalize the costs of maintaining a secure environment the same way an average person does, or even a non-security developer.
People are doing this with MCP on large scale, it's not talked about enough; otherwise sensible people are dismissive of the risks.
(comment deleted)
> Are people really this oblivious

There are hundreds of accidental gun deaths every year in the US. So yes, people do need to be told to not point guns at their feet (and other body parts) and pull the trigger.

https://ammo.com/articles/accidental-shooting-statistics

Just the other day I saw a video of a guy pulling a trigger on a gun in another person’s hand with the express goal of inuring them with the knock back. Another of a guy accidentally shooting a hole through his own ceiling. And a third one of a guy (there were at least three people present) shooting a rifle into a shallow river; they were lucky the barrel exploded like a looney tunes cartoon.

And we’re talking guns, which are designed to be dangerous. Software is much more nebulous and people have been conditioned for years to just download whatever and install it.

How is this different from a backdoor in, say, a Thunderbird extension? I've maintained an extension for Thunderbird and, when I was no longer interested in it, a guy pushed hard to take over the project after sending a few legitimate contributions. I declined because it seemed crazy to give the keys to tens of thousands mailbox to a guy I didn't really know. I also found it crazy that people would trust me initially, but well, I know I'm a good guy :-)
> How is this different from a backdoor in, say, a Thunderbird extension?

I don’t get the argument. Had this been a backdoor in a Thunderbird extension, would it not have been worth reporting? Of course it would. The value of this report is first and foremost that it found a backdoor. That it is on an MCP server is secondary, but it’s still relevant to mention it for being the first, so that people who don’t believe or don’t understand these systems can be compromised (those people exist) can update their mental model and be more vigilant.

> For 15 versions - FIFTEEN - the tool worked flawlessly. Developers were recommending it to their teams. "Hey, check out this great MCP server for Postmark integration." It became part of developer’s daily workflows, as trusted as their morning coffee.

> Then version 1.0.16 dropped. Buried on line 231, our risk engine found this gem: A simple line that steals thousands of emails

> One single line. And boom - every email now has an unwanted passenger.

A brand new twist on enshittification.

What stops police/a prosecutor from getting a warrant for Squarespace/GoDaddy to give them info on the purchase of the giftclub.shop domain? Their payment method is identifiable, I doubt someone commiting this kind of attack is covering their traces very well.
I come for the thread but amazed with the website and beautiful UI of Koi platform. Looks really cool!
> We can only guestimate the impact:

> 1,500 downloads every single week

> Being conservative, maybe 20% are actively in use

> That's about 300 organizations

> Each one probably sending what, 10-50 emails daily?

> We're talking about 3,000 to 15,000 emails EVERY DAY flowing straight to giftshop.club

Those figures seems crazy to me.

They assert that behind a single download from NPM is a unique organization.

That's insane.

A download from NPM is just someone (most often something) doing _npm i_.

Given how most CIs are (badly) configured in the wild, they'll _npm i_ at least once per run. If not per stage.

So those 1,500 downloads per week can come from just 2 organizations, one with a dev POCing the tool, and one with a poorly configured CI.

And the official repo has 1 watch 0 fork and 2 stars: https://github.com/ActiveCampaign/postmark-mcp

Sure the issue raised around MCP and supply chain is big, but the actual impact of this one is probably close to 0.

> First Malicious MCP in the Wild

First that you know of. MCP zero-days seems to be so much easier to find and exploit.

I'll say it again: no one cares about security.

First, no one is ever punished for having security breaches: companies outsource security specifically to avoid responsibility (using contract law to transfer risk). Second, the MBA mentality has infected software development such that first to market and feature velocity trumps all: if I can download a package or have an LLM write my code so much the faster than me writing it.

Security is fucked because shareholders want it that way. Change the incentives to make security matter if you want something different.

> Somehow, we've all just accepted that it's totally normal to install tools from random strangers

This has been the modus operandi since windows xp days where we in all innocence installed random cd-ripping software and bonzi buddies, with full access to the rest of the computer.

It’s hard to argue against convenience. People will always do what’s easy even if less secure. The bigger lesson is why we still haven’t learned to sandbox sandbox sandbox. Here it seems like AI just did a full factory reset on every best practice know to man.

And that's a dumb attack. Not one that uses a LLM to find the good stuff, and transmit it through some covert channel to somewhere the attacker can get it.
This doesn't look like an MCP backdoor. It looks like a supply chain attacks on an unofficial mcp tool.

It's definitely not what we are worried about with MCP.

The content of this article is good, but why send it through ChatGPT AI sloppification?

I'd rather just read whatever the prompt was. In the current state it's an insult to the user and a waste of time.

I wonder whether there isn't even more backdoors of this kind in various popular packages for all kinds of programming languages - after all, it seems like security scrutiny for developer-level packages is something that we are just starting to get that might be important
This blogpost is almost impossible to read. Might be AI augmented. So many unnecessary sentences and embellishments.

Shame, the actual topic is interesting

Looks like bcc was added for debugging and was not removed before commit.

Too obvious for backdoor. Replacing bitcoin addresses in email would be more useful)