Cybersecurity researchers have revealed details of a new SmartLoader campaign that involves distributing a trojanized version of the Model Context Protocol (MCP) server associated with Oura Health to provide an information theft vector known as StealC.
“Threat actors cloned the legitimate Oura MCP Server (a tool that connects AI assistants to Oura Ring health data) and created a deceptive infrastructure of fake forks and contributors to fabricate its credibility,” Striker’s AI Research (STAR) Labs team said in a report shared with The Hacker News.
The ultimate goal is to leverage a trojanized version of the Oura MCP server to deliver the StealC infostealer, allowing attackers to steal credentials, browser passwords, and data from cryptocurrency wallets.
First brought to our attention by OALABS Research in early 2024, SmartLoader is a malware loader known to be distributed via fake GitHub repositories containing artificial intelligence (AI)-generated lures to appear legitimate.
In an analysis published in March 2025, Trend Micro revealed that these repositories are disguised as game cheats, cracked software, and cryptocurrency utilities, typically promising free or unauthorized features to lure victims into downloading ZIP archives that deploy SmartLoader.
Striker’s latest findings highlight new developments in AI. Attackers create a network of fake GitHub accounts and repositories that serve Trojanized MCP servers and send them to legitimate MCP registries such as MCP Market. The MCP server is still listed in the MCP directory.
The idea is to poison MCP registries and weaponize platforms like GitHub, using the trust and reputation associated with the service to lure unsuspecting users into downloading malware.
“Unlike opportunistic malware attacks that prioritize speed and volume, SmartLoader spent months building credibility before deploying its payload,” the company said. “This patient, methodical approach shows that the attackers understand that gaining developer trust will take time, and are willing to invest that time in gaining access to high-value targets.”
The attack basically unfolded in four stages.
We created at least five fake GitHub accounts (YuzeHao2023, punkpeye, dvlan26, halamji, and yzhao112) to build a collection of seemingly legitimate repository forks of the Oura MCP server. Created another Oura MCP server repository containing a malicious payload under a new account ‘SiddhiBagul’. To feign authenticity, a newly created fake account was added as a “poster” and the original author was intentionally excluded from the list of posters. Submitted a Trojanized server to MCP Market.
This also means that when users search for the Oura MCP server on the registry, they are likely to find a rogue server that is included in a list of other safe alternative servers. When launched via a ZIP archive, it executes an obfuscated Lua script that drops the SmartLoader and begins deploying StealC.
The evolution of the SmartLoader campaign marks a shift from attacks on users looking for pirated software to developers attacking systems that tend to contain sensitive data such as API keys, cloud credentials, cryptocurrency wallets, and access to operational systems. Stolen data can be exploited to facilitate subsequent intrusions.
As a mitigation measure to combat the threat, organizations are encouraged to inventory installed MCP servers, establish formal security reviews prior to installation, verify the origin of MCP servers, and monitor suspicious outgoing traffic and persistence mechanisms.
“This campaign exposes a fundamental weakness in the way organizations evaluate AI tools,” Straker said. “SmartLoader’s success depends on security teams and developers applying outdated trust heuristics to new attack surfaces.”
Source link
