Security Alert: Malicious 'postmark-mcp' npm Package Impersonating Postmark | Postmark
Alert: A malicious npm package named 'postmark-mcp' was impersonating Postmark to steal user emails. Postmark is not affiliated with this fraudulent package. We recently became aware of a malicious npm package called "postmark-mcp" on npm that was impersonating Postmark and stealing user emails. We want to be crystal clear: Postmark had absolutely nothing to do with this package or the malicious activity. Here's what happened: A malicious actor created a fake package on npm impersonating our name, built trust over 15 versions, then added a backdoor in version 1.0.16 that secretly BCC’d emails to an external server. What you should know: This is not an official Postmark tool. We have not published our Postmark MCP server on npm prior to this incident We didn't develop, authorize, or have any involvement with the "postmark-mcp" npm package The legitimate Postmark API and services remain secure and unaffected by this incident If you've used this fake package: Remove it immediately from your systems Check your email logs for any suspicious activity Consider rotating any credentials that may have been sent via email during the compromise period This situation highlights why we take our API security and developer trust so seriously. When you integrate with Postmark, you're working directly with our official, documented APIs—not third-party packages that claim to represent us. If you are not sure what official resources are available, you can find them via the links below, which are always available to our customers: Our official resources: Official Postmark MCP - Github API documentation Official libraries and SDKs Support channels or email security@activecampaign.com if you have questions