A malicious npm package named "postmark-mcp" was discovered impersonating Postmark to steal user emails by secretly BCCing them to an external server. Postmark clarified that they were not involved with this package, and their official API and services remain secure. The fake package, which had built trust over 15 versions before adding a backdoor in version 1.0.16, should be removed immediately by users who installed it. Postmark emphasizes the importance of using only their official documented APIs and resources to ensure security and advises users to report any impersonations to their security team. They stress the importance of verifying the legitimacy of packages claiming to be from Postmark and provide resources for customers to find official tools and support.