Alert: A malicious npm package named 'postmark-mcp' was impersonating Postmark to steal user emails. Postmark is not affiliated with this fraudulent package.
We recently became aware of a malicious npm package called "postmark-mcp" on npm that was impersonating Postmark and stealing user emails. We want to be crystal clear: Postmark had absolutely nothing to do with this package or the malicious activity.
Here's what happened: A malicious actor created a fake package on npm impersonating our name, built trust over 15 versions, then added a backdoor in version 1.0.16 that secretly BCC’d emails to an external server.
What you should know:
This is not an official Postmark tool. We have not published our Postmark MCP server on npm prior to this incident
We didn't develop, authorize, or have any involvement with the "postmark-mcp" npm package
The legitimate Postmark API and services remain secure and unaffected by this incident
If you've used this fake package:
Remove it immediately from your systems
Check your email logs for any suspicious activity
Consider rotating any credentials that may have been sent via email during the compromise period
This situation highlights why we take our API security and developer trust so seriously. When you integrate with Postmark, you're working directly with our official, documented APIs—not third-party packages that claim to represent us. If you are not sure what official resources are available, you can find them via the links below, which are always available to our customers:
Our official resources:
Official Postmark MCP - Github
API documentation
Official libraries and SDKs
Support channels or email security@activecampaign.com if you have questions