added postmark-mcp supply chain attack

almogbhl · almogbhl · commit 68860867d99f · 2025-10-02T10:05:14.000+03:00
diff --git a/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md b/initiatives/agent_security_initiative/ASI Agentic Exploits & Incidents/ASI_Agentic_Exploits_Incidents.md
@@ -32,4 +32,5 @@ Similarly, any aspects relating to incident response should be discussed with th
 | **GitHub Copilot & Cursor Code-Agent Exploit – Mar 2025**                          | Manipulated AI code suggestions injected backdoors, leaked API keys, and introduced logic flaws into production code, creating a significant supply-chain risk as developers trusted AI outputs                                                                                   | T17 (Supply Chain) + T10 (Overwhelming Human in the Loop)              | • — <br> • — <br> • [Pillar Security](https://www.pillar.security/blog/new-vulnerability-in-github-copilot-and-cursor-how-hackers-can-weaponize-code-agents)|
 **ForcedLeak (Salesforce Agentforce) – Sep 2025** | Critical indirect prompt injection in Salesforce Agentforce allows an external attacker to mislead the agent and exfiltrate sensitive CRM records outside the organization. | • ASI01 (Agent Behaviour Hijack)<br> • ASI02 (Tool Misuse & Exploitation) | • [Salesforce](https://help.salesforce.com/s/articleView?id=005135034&type=1)<br> • —<br>• [Noma Security](https://noma.security/blog/forcedleak-agent-risks-exposed-in-salesforce-agentforce) |
 **Visual Studio Code & Agentic AI workflows RCE – Sep 2025** | Command injection in agentic AI workflows can let a remote, unauthenticated attacker cause VS Code to run injected commands on the developer’s machine. | • ASI01 (Agent Behaviour Hijack)<br> • ASI02 (Tool Misuse & Exploitation) <br> • ASI05 (Unexpected Code Execution)| • [Microsoft](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-55319)<br>• [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-55319)<br>• —
+**Malicious MCP Server Impersonating Postmark – Sep 2025** | Reported as the first in-the-wild malicious MCP server on npm; it impersonated postmark-mcp and secretly BCC’d emails to the attacker.| • ASI02 (Tool Misuse & Exploitation) <br>• ASI04 (Agentic Supply Chain) <br> • ASI07 (Insecure Inter-Agent Communication)| • [Postmark](https://postmarkapp.com/blog/information-regarding-malicious-postmark-mcp-package)<br>• —<br>• [Koi Security](https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-theft)
 ---
