SmartLoader Attack Uses Trojanized Oura MCP Server to Install StealC Infostealer
Cybersecurity researchers have revealed new information SmartLoader a campaign that involved distributing a trojanized version of the Model Context Protocol (MCP) server associated with Oura Health to deliver a hacker called StealC.
“Threat actors have created a legitimate Oura MCP Server – a tool that connects AI assistants to Oura Ring health data – and created a deceptive infrastructure of fake forks and donors to build credibility,” said the AI Research (STAR) Labs’ Striker team in a report shared with The Hacker News.
The end game is to use an upgraded version of the Oura MCP server to deliver the StealC infostealer, which allows malicious actors to steal credentials, browser passwords, and data from cryptocurrency wallets.
SmartLoader, which was first highlighted by OALABS Research in early 2024, is a malware loader known to be distributed via fake GitHub repositories that contain artificial intelligence (AI) artificial intelligence to give the impression that they are legitimate.
In an analysis published in March 2025, Trend Micro revealed that these endpoints are disguised as game cheats, broken software, and cryptocurrency services, often luring victims with promises of free or unauthorized functionality to download ZIP archives using SmartLoader.
The latest findings from Striker highlight a new twist to AI, with malicious actors creating a network of fake GitHub accounts and repositories to provide compromised MCP servers and post them to official MCP registries such as the MCP Market. The MCP server is still listed in the MCP directory.
By poisoning MCP subscribers and weaponizing platforms like GitHub, the idea is to increase the trust and reputation associated with the services to entice unsuspecting users to download the malware.
“Unlike opportunistic malware campaigns that prioritize speed and volume, SmartLoader has invested months in building credibility before releasing its payload,” the company said. “This patient, methodical approach demonstrates the threat actor’s understanding that developer trust requires time to execute, and their willingness to invest that time to achieve high-value targets.”
The attack took place in four phases –
- At least 5 fake GitHub accounts (YuzeHao2023, punkpeye, dvlan26, halamji, and yzhao112) were created to create a collection of seemingly official repository forks for the Oura MCP server.
- Created another cache of Oura MCP server by malicious upload under new account “SiddhiBagul”
- Added fake accounts that were newly created as “contributors” to show credibility, while intentionally removing the original author from the list of contributors.
- Ported a hacked server to MCP Market
This also means that users who end up looking for an Oura MCP server in the registry will end up finding a rogue server listed among other wrong options. When launched via a ZIP archive, it results in the execution of an obfuscated Lua script responsible for dumping SmartLoader, which then proceeds to feed StealC.
The evolution of the SmartLoader campaign shows a shift from attackers looking for pirated software to developers, whose systems have become high-value targets, given that they often contain sensitive data such as API keys, cloud credentials, crypto wallets, and access to production systems. Stolen data may be misused to fuel subsequent intrusions.
As a mitigation against the threat, organizations are recommended to install MCP servers, perform a formal security review before installation, verify the origin of MCP servers, and monitor the emergence of suspicious traffic and persistence methods.
“This campaign exposes a fundamental weakness in the way organizations evaluate AI tools,” Straiker said. “SmartLoader’s success depends on security teams and developers applying outdated trust heuristics to the new attack environment.”
