A Postmark backdoor that’s downloading emails

Original Article ↗ Hacker News Discussion ↗

Perception of the Article

  • Several commenters think the blog post reads like “AI-slop”: overlong, padded, full of rhetorical tics (e.g., “it’s not just X, it’s Y”, question-opening paragraphs, emotional filler).
  • Others don’t notice or don’t care, but the writing quality distracts some from the otherwise interesting technical finding.

Nature and Impact of the Attack

  • The backdoor is a one-line BCC that silently forwards all sent emails to an attacker-controlled address.
  • Some argue this is a very “dumb” / obvious attack that is guaranteed to be caught eventually.
  • The article’s impact estimate (hundreds of orgs, thousands of emails/day) is widely criticized as unrealistic because npm download counts are heavily inflated by CI and repeated installs.

MCP vs General Supply-Chain Risk

  • Many emphasize this isn’t special to MCP: it’s a classic supply-chain attack, similar to malicious npm/PyPI/Thunderbird extensions.
  • Others argue MCP amplifies the risk: a single compromised MCP server plugged into an AI agent can expose many connected services (email, docs, keys).
  • There’s debate whether MCP is “unsafe by design” (because it enables LLM-driven tool invocation with broad powers) or just a neutral RPC protocol misused by humans.

Trust: Corporations vs Individuals

  • One thread compares this to Microsoft’s new Outlook syncing emails and credentials to Microsoft servers.
  • Some see no moral difference: both copy your mail.
  • Others stress intent and incentives: a random developer might directly monetize stolen data; large companies have reputational and revenue incentives not to overtly steal assets, even if they exploit data in other ways.

User Behavior and “God-Mode” AI Tools

  • Many note that non-expert users do give tools “god-mode” access without understanding risks, much like early days of Windows shareware or scriptable email clients.
  • HN readers may find this obvious, but commenters stress that for the general public it isn’t, and articles like this serve an educational role.
  • AI agents worsen things: an “idiot with too much access” plus an LLM becomes an active attack vector.

Security Practices, Sandboxing, and Incentives

  • Some advocate minimal dependencies, direct API calls, sandboxed MCP servers on isolated VMs, and stronger supply-chain tooling (e.g., SBOMs).
  • Others argue real-world incentives (time pressure, cost/benefit of security vs productivity) mean most people will continue installing unvetted packages.
  • There’s skepticism that law enforcement will meaningfully pursue such attackers due to jurisdiction, resourcing, and attribution challenges.

Potential Benign Explanation

  • A minority suggests the BCC could be leftover debugging rather than deliberate exfiltration, citing the obviousness and use of a personal-looking email.
  • They note the developer’s package removal and silence resemble an inexperienced reaction; critics reply that even “debug” exfiltration at this scale is unacceptable without clear disclosure and remediation.