Open source OAuth 2.1 authorization for MCP servers. Self-hosted. One binary. Production-grade MCP auth in under 10 minutes.github.com/authplane Palo Alto, CAJoined May 2026
For 15 versions, postmark-mcp on npm worked fine. Version 1.0.16 added one line of code and started BCCing every email to the developer's own server.
The package appeared on npm in September 2025, looking identical to the real Postmark integration. It was pulling around 1,500 installs a week.
Then v1.0.16 shipped. One new line: every email the tool sent got silently BCC'd to an outside address. Password resets, invoices, customer communications, all quietly forwarded for over a week before Koi Security exposed it publicly.
Koi called it the first malicious MCP server found in the wild. It wasn't sophisticated. It was one line, sitting where nobody was looking.
And here's the part that should really bother you: the entire trust arc took two days. All 15 clean versions were published between September 15 and 17. That's how fast "looks legit" becomes "trusted infrastructure."
MCP servers run with your credentials and almost no oversight. The tool you trusted yesterday can be the leak today. Sometimes, literally yesterday.
If your agents touch real systems, you need to know exactly what each one can reach, and they shouldn't be holding long-lived credentials they don't need.
That's the whole reason we're building AuthPlane.
Reference Koi Security: koi.ai/blog/postmark-…#MCP#MCPsecurity #agenticeconomy
Great event by @GitHub last night on the future of developer tools: luma.com/FutureCodeFron…
One point from @hahnbeelee stuck with us: as more code gets written by AI, more security incidents will follow unless builders get much better at understanding risk and mitigation.
AI is changing how we ship. Security has to change just as fast.
Panel: @idangazit@digitarald@dakshgup@hahnbeelee@gcgarriga
Details matter:
- S256 only "plain" PKCE defeats the purpose; we reject it at the protocol level
- auth codes are single-use w/ atomic consumption
- refresh tokens rotate per use; replay a stolen one, and the whole family is revoked
Authorization in MCP is optional. But once a server adds HTTP-based authorization, the spec requires OAuth 2.1 with PKCE. No exceptions. Some devs call that overkill. It isn't.
Every simpler alternative fails in a specific, known way. 🧵
7K Followers 4K Followinginvesting + exploring things onchain @strobefund 🦋🦋 prev @blocktower
all views or opinions herein are those of the author and not representative of strobe.
433 Followers 26 FollowingRepeat entrepreneur. Co-founder and CEO of @CodigoPlatform - AI Development Platform For Solana. Founder of AIOPs leader SignifAI (acquired by New Relic).
19 Followers 395 Followingما بي من علم فمن الله، ولا حول ولا قوة إلا بالله
Whatever knowledge I possess is from ALLAH, and there is no power or strength except with ALLAH
827 Followers 24 FollowingHiddenLayer helps enterprises safeguard the AI models behind their most important products with a comprehensive security platform
99K Followers 1K FollowingAgents & Gemini API, MTS @GoogleDeepMind | prev: Tech Lead at @huggingface, AWS ML Hero 🤗 Sharing my own views and AI News 🧑🏻💻 https://t.co/7IosdlO6RA
38K Followers 4K FollowingEasy to implement, adaptable authentication and authorization platform.
We make your login box awesome.
Status: @auth0status | Support: @auth0community
5.0M Followers 4 FollowingOpenAI’s mission is to ensure that artificial general intelligence benefits all of humanity. We’re hiring: https://t.co/dJGr6LgzPA
1.5M Followers 2 FollowingWe're an AI safety and research company that builds reliable, interpretable, and steerable AI systems. Talk to our AI assistant @claudeai on https://t.co/FhDI3KQh0n.