Information Regarding Malicious "postmark-mcp" Package
We recently became aware of a malicious npm package called "postmark-mcp" on npm that was impersonating Postmark and stealing user emails. We want to be crystal clear: Postmark had absolutely nothing to do with this package or the malicious activity.
Here's what happened: A malicious actor created a fake package on npm impersonating our name, built trust over 15 versions, then added a backdoor in version 1.0.16 that secretly BCC’d emails to an external server.
What you should know:
- This is not an official Postmark tool. We have not published our Postmark MCP server on npm prior to this incident
- We didn't develop, authorize, or have any involvement with the "postmark-mcp" npm package
- The legitimate Postmark API and services remain secure and unaffected by this incident
If you've used this fake package:
- Remove it immediately from your systems
- Check your email logs for any suspicious activity
- Consider rotating any credentials that may have been sent via email during the compromise period
This situation highlights why we take our API security and developer trust so seriously. When you integrate with Postmark, you're working directly with our official, documented APIs—not third-party packages that claim to represent us. If you are not sure what official resources are available, you can find them via the links below, which are always available to our customers:
Our official resources:
- Official Postmark MCP - Github
- API documentation
- Official libraries and SDKs
- Support channels or email security@activecampaign.com if you have questions
If you’re aware of a fake package or a third party impersonating Postmark, report it in detail to our dedicated security team: security@activecampaign.com
Stay safe out there, and remember: if a package claims to be from Postmark but isn't listed in our official documentation, do not engage.
