Cybersecurity researchers have uncovered a sophisticated campaign using a trojanized Model Context Protocol (MCP) server linked to Oura Health to deliver the StealC information stealer.
According to Straiker’s AI Research (STAR) Labs, attackers cloned the legitimate Oura MCP server—which normally connects AI assistants to Oura Ring health data—and created fake forks, contributor accounts, and a deceptive infrastructure to build credibility.
The trojanized server is then used to deliver StealC, enabling attackers to harvest browser credentials, passwords, and cryptocurrency wallet data.
SmartLoader Campaign Background
SmartLoader is a malware loader first highlighted by OALABS Research in 2024, typically distributed through fake GitHub repositories. Early campaigns disguised repositories as game cheats, cracked software, or crypto tools to entice downloads via ZIP archives. These archives execute obfuscated scripts to install SmartLoader and its payloads.
Straiker Labs’ latest findings reveal an AI-enhanced evolution of the campaign. Attackers created multiple fake GitHub accounts and submitted the trojanized MCP servers to legitimate MCP registries like MCP Market, exploiting the trust and reputation associated with these platforms.
Attack Stages
The operation unfolded in four deliberate stages:
- Fake Accounts: At least five bogus GitHub accounts (YuzeHao2023, punkpeye, dvlan26, halamji, yzhao112) were created to simulate legitimate forks of the Oura MCP server.
- Malicious Repository: A new repository hosting the trojanized MCP server was created under the account “SiddhiBagul.”
- Credibility Enhancement: Fake accounts were added as contributors, while the original author was intentionally excluded to manufacture trust.
- Registry Submission: The trojanized server was listed on the MCP Market, appearing alongside legitimate MCP servers.
Once users download the server via a ZIP archive, an obfuscated Lua script executes, dropping SmartLoader, which subsequently installs StealC.
Targeting Developers and High-Value Data
The SmartLoader campaign demonstrates a shift from targeting casual users seeking pirated software to developers and organizations. Developers’ machines often store sensitive data such as API keys, cloud credentials, and crypto wallets. Stealing this information enables follow-on attacks, potentially compromising production environments.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.
