SmartLoader Attack Uses Trojanized Oura MCP Server to Deploy StealC Infostealer
Source: The Hacker News
Overview
Ravie Lakshmanan
Feb 17 2026 – Infostealer / Artificial Intelligence
Cybersecurity researchers have disclosed details of a new SmartLoader campaign that distributes a trojanized version of a Model Context Protocol (MCP) server associated with Oura Health to deliver the information‑stealer StealC (source).
“The threat actors cloned a legitimate Oura MCP Server – a tool that connects AI assistants to Oura Ring health data – and built a deceptive infrastructure of fake forks and contributors to manufacture credibility,”
— Straiker’s AI Research (STAR) Labs, The Hacker News report.
The end game is to use the trojanized Oura MCP server to drop StealC, which can steal credentials, browser passwords, and cryptocurrency‑wallet data.
SmartLoader was first highlighted by OALABS Research in early 2024 (link). It is a malware loader distributed via fake GitHub repositories that contain AI‑generated lures, making them appear legitimate.
In a March 2025 analysis, Trend Micro revealed that these repositories are disguised as game cheats, cracked software, and cryptocurrency utilities, coaxing victims with promises of free or unauthorized functionality to download ZIP archives that deploy SmartLoader (source).
The latest findings from Straiker highlight a new AI twist: threat actors created a network of bogus GitHub accounts and repositories to host trojanized MCP servers and submitted them to legitimate MCP registries such as MCP Market (the server is still listed here).
By poisoning MCP registries and weaponizing platforms like GitHub, the attackers leverage the trust and reputation of these services to lure unsuspecting users into downloading malware.
“Unlike opportunistic malware campaigns that prioritize speed and volume, SmartLoader invested months building credibility before deploying their payload,” the company said. “This patient, methodical approach demonstrates the threat actor’s understanding that developer trust requires time to manufacture, and their willingness to invest that time for access to high‑value targets.”
Attack flow (four stages)
- Fake GitHub accounts – At least five accounts (YuzeHao2023, punkpeye, dvlan26, halamji, yzhao112) were created to build a collection of seemingly legitimate forks of the Oura MCP server.
- Malicious repository – A new Oura MCP server repository containing the payload was created under the account SiddhiBagul.
- Credibility veneer – The fake accounts were added as “contributors,” deliberately omitting the original author from the contributor list.
- Registry poisoning – The trojanized server was submitted to MCP Market.
Because the rogue server is listed alongside benign alternatives in the MCP registry, users searching for the Oura MCP server may inadvertently download the malicious version. Once executed via a ZIP archive, an obfuscated Lua script drops SmartLoader, which then deploys StealC.
The evolution of the SmartLoader campaign shows a shift from targeting users seeking pirated software to targeting developers. Developers’ machines often contain high‑value assets such as API keys, cloud credentials, cryptocurrency wallets, and access to production environments—making them attractive for follow‑on intrusions.
Mitigation recommendations
- Inventory all installed MCP servers.
- Establish a formal security review process before installing any MCP component.
- Verify the authenticity of GitHub repositories and MCP registry entries (check contributor history, signatures, and publisher reputation).
- Use endpoint detection and response (EDR) solutions to detect anomalous Lua scripts or unexpected drops of SmartLoader.
- Apply network segmentation to limit the impact of credential theft on critical systems.
- Monitor the origin of MCP servers and watch for suspicious egress traffic and persistence mechanisms.
“This campaign exposes fundamental weaknesses in how organizations evaluate AI tooling,” Straiker said.
“SmartLoader’s success depends on security teams and developers applying outdated trust heuristics to a new attack surface.”
Content originally published on The Hacker News and referenced sources.
Found this article interesting? Follow us for more exclusive content: