The first malicious MCP server was one line of code: the postmark-mcp rug pull
Article summary
Quick briefing — cleaned from the original RSS feed
In September 2025, security researchers at Koi Security found what's widely described as the first in-the-wild malicious MCP server. It wasn't a sophisticated zero-day. It was one added line in an email tool. What happened postmark-mcp is an npm package that gives an AI agent a tool for sending email through Postmark. For fifteen releases — versions 1.0.0 through 1.0.15 — it did exactly that, and nothing else. It got adopted, it got trusted, it landed in people's daily agent workflows. By the…
1Key Takeaways
- In September 2025, security researchers at Koi Security found what's widely described as the first in-the-wild malicious MCP server.
- It was one added line in an email tool.
- What happened postmark-mcp is an npm package that gives an AI agent a tool for sending email through Postmark.
- For fifteen releases — versions 1.0.0 through 1.0.15 — it did exactly that, and nothing else.
2AIWedia Score
8.6/10
High relevance — worth your attention today
Based on source trust, recency, category impact, and story depth.
3Why it matters
Coding AI shifts how fast software ships and how much human review each change needs. DEV — AI reports that in September 2025, security researchers at Koi Security found what's widely described as the first in-the-wild malicious MCP server.
Explore related
Browse toolsCoding AI news
Explore curated coding ai tools on AIWedia — compare, rank, and launch from our directory.
Full story on DEV — AI
Read full articleHeadlines aggregated via RSS for discovery on AIWedia. Original content © DEV — AI. We link to the source and do not republish full articles.