AI · 6 min read · May 2, 2026
MCP Servers Introduce a Supply Chain Risk Most Enterprises Haven't Mapped
A 2025 backdoor in a popular MCP package silently exfiltrated email from hundreds of organizations, exposing a governance gap security teams haven't closed.
MCP servers now function as unaudited supply chain infrastructure, carrying credential access and data scope that most enterprise security programs have not yet inventoried.
- — A backdoored MCP package silently BCC'd emails to an attacker address for over a week.
- — An estimated 300–500 organizations were affected before the malicious version was pulled.
- — 88% of MCP servers in one large sample handle credentials of some kind.
- — Nearly 2,000 internet-facing MCP servers were found with no authentication required.
- — 53% of credential-handling MCP servers rely on long-lived, unrotated static API keys.
- — OX Security traced one SDK design flaw to 10 CVEs across 150 million combined downloads.
- — Tool poisoning lets attackers embed hidden instructions inside tool metadata the model trusts.
- — Nine of eleven public MCP marketplaces accepted proof-of-concept malicious server submissions.
Frequently asked
- A package on npm called postmark-mcp impersonated an unofficial integration with the Postmark email service. For fifteen versions it functioned normally, earning trust and roughly 1,500 weekly downloads. Version 1.0.16, released in September 2025, added a single line that BCC'd every outgoing email to an attacker-controlled address. The change bypassed email gateways and DLP tools because the traffic looked like normal Postmark API activity. Koi Security identified the backdoor after it had been live for over a week, by which point an estimated 300 to 500 organizations had integrated the malicious version.