Security researchers at Koi Security traced the attack by flagging anomalous code behavior in the version upgrade. They found that the malicious package was a clone of a legitimate project maintained by ActiveCampaign, with just one additional line of code enabling the BCC backdoor. The developer then removed the package from npm after detection, but that action does not stop already deployed instances from continuing to leak data.
MCP infrastructure enables AI assistants and agents to act on tasks such as emailing, database queries, and internal automation. Because these tools are often granted “god-mode” access—full read/write permissions—they are high-risk components if compromised. Researchers warn that MCP servers are inadequately audited in many security architectures, bypassing traditional checks like vendor assessments, data loss prevention systems, and email gateway monitoring.
Analysis by the academic community supports the idea that MCP frameworks remain a weak link in AI security. A recent study illustrates how even minimal or simple MCP deployments can serve as trojan tools, facilitating cross-server data exfiltration with little sophistication required. Attackers need not be advanced; undergraduate-level skills can be sufficient to weaponise trust relationships between agent software and tool providers.
Koi’s risk engine estimates that the blast radius of the attack could reach thousands of emails per organisation daily. In many cases, the exfiltrated content could include password resets, invoices, financial data, internal memos, or API tokens. Even if the malicious package is removed from central repositories, compromised host systems remain vulnerable until the binary or dependency is purged.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
