A npm package copying the official 'postmark-mcp' project on GitHub turned bad with the latest update that added a single line of code to exfiltrate all its users' email communication.
The security researchers who discovered the malicious npm package called it the “first malicious MCP in the wild” ...
Some results have been hidden because they may be inaccessible to you
Show inaccessible results
Feedback