Re: [tlug] Microsoft CAN do it right!

[Michael Paddon <michael@example.com>]

Thanks for the interesting article link.

You have to take the hyperbole of people with something to sell with a grain of salt. There's nothing special about MCP code. It has whatever permissions you give it, just like any other software you install. It doesn't magically install itself. This is where a robust software supply chain becomes important.

Consider the XZ backdoor last year. Despite the sophistication of the attack, it was discovered through strong quality practices and production distros were not compromised. OTOH if you download random JS from npm, you'd better check it before using it, and before every update. TANSTAAFL.

But if you want to sell something to PHBs you have to tie it to the buzz word du jour. Today, that's MCP. Tomorrow it will be Agentic something.

On 28 Sept 2025 10:37, osburn <tim@example.com> wrote:

Here is one example :)
https://www.koi.security/blog/postmark-mcp-npm-malicious-backdoor-email-theft

-osburn-



> On Sep 27, 2025, at 6:11 PM, Christian Horn <chorn@example.com> wrote:
>
>>   [..] We are entering an era where AI will be able to screen our
>>   email for us. Address based anti spam will soon be obsolete. This is a
>>   good thing because privacy is enhanced if people can stand up their own
>>   email servers. [..]
>
> How do you think things will change in that area due to AI?
>
> Chris
>
>