MCP security incidents — and how to vet a server before you install it

postmark-mcp — a malicious npm package that BCC'd every email

Disclosed September 2025

A package published as postmark-mcp mimicked a legitimate Postmark MCP server. In version 1.0.16 it added a single line that silently BCC'd every email the server sent to an attacker-controlled address. It had been installed by an estimated few-hundred organisations before disclosure.

What a readiness check tells you here: Nothing in a protocol/readiness check. The server spoke MCP correctly and would have scored well — the malice was one line of exfiltration logic in otherwise-valid code.

Sources: The Hacker News — First Malicious MCP Server · Snyk — postmark-mcp harvests emails

CVE-2025-6514 — remote code execution in mcp-remote

2025

mcp-remote, a widely-used OAuth proxy that lets desktop MCP clients talk to remote servers (hundreds of thousands of downloads), contained a flaw allowing a malicious server to trigger OS command execution on the client when it connected.

What a readiness check tells you here: Out of scope for a readiness grade — this is a client-side library vulnerability, not a property of the server's tool surface. The lesson it teaches the page: connecting to an unknown server is itself a trust decision.

Sources: Securelist — MCP abused in supply-chain attacks

Tool poisoning — hidden instructions in tool descriptions

Disclosed April 2025 (Invariant Labs)

A server can embed instructions in a tool's description (which the model reads but the user usually doesn't) that tell the agent to do something harmful — e.g. read a secret file and pass it as an argument to another tool. The visible behaviour looks normal.

What a readiness check tells you here: A readiness check measures whether descriptions exist and are clear enough to be selectable — it does NOT judge their intent. A description can be well-formed AND poisoned. Defence is reviewing what each tool's description actually says, and isolating untrusted servers.

Sources: Invariant Labs — Tool Poisoning Attacks · OWASP — MCP Tool Poisoning

What a readiness check is — and is not

SaSame's pre-install check and the npx mcp-readiness CLI grade a server on how it speaks the MCP protocol: is it live, does it list well-formed tools, does it label them read-only vs destructive, does it return real content, does it handle errors honestly. That is a real, useful signal — a server that fails it is unfinished or careless.

It is not a malware or supply-chain scan. It cannot see intent, hidden instructions, what a server does with your data, or a malicious change pushed after you install (a "rug-pull"). Treat a passing grade as "this server is competently built," never as "this server is safe to trust."

A practical pre-install checklist

1. Grade it — npx mcp-readiness <url> or browse the check. A failing grade is a fast "not yet."
2. Read the source — open the repo. Unmaintained, obfuscated, or no-source servers are a red flag.
3. Pin the version — pin the npm/package version and review diffs before upgrading (this is what would have stopped postmark-mcp).
4. Read each tool's description — that text is fed to your model. Look for instructions that don't belong (tool poisoning).
5. Isolate untrusted servers — least-privilege credentials; don't combine an untrusted server with one that holds secrets.