SmartLoader Campaign Trojanizes Oura MCP Server With Fake GitHub Network to Deploy StealC Infostealer
A new SmartLoader campaign is targeting developers through trojanized AI tooling — cloning a legitimate Model Context Protocol (MCP) server for Oura Health's smart ring and distributing it through the MCP Market registry to deliver the StealC infostealer.
The campaign, documented by Straiker's AI Research (STAR) Labs, represents a shift in SmartLoader operations from targeting users seeking pirated software to deliberately targeting developers — whose systems contain API keys, cloud credentials, cryptocurrency wallets, and access to production environments.
Months of Manufactured Trust
Unlike typical malware campaigns that prioritize speed, this operation invested months building credibility before deploying any payload. The attack unfolded in four stages:
- Created fake personas — at least five bogus GitHub accounts (YuzeHao2023, punkpeye, dvlan26, halamji, yzhao112) were established to build a collection of seemingly legitimate repository forks of the real Oura MCP server
- Built the weaponized repo — a new Oura MCP server repository containing the malicious payload was created under the account "SiddhiBagul"
- Manufactured contributor credibility — the fake accounts were added as "contributors" to the malicious repo while deliberately excluding the original legitimate author from contributor lists
- Submitted to MCP Market — the trojanized server was listed on the MCP Market registry, where it appeared alongside legitimate alternatives — and remains listed as of publication
Users searching for the Oura MCP server on the registry would find the rogue version among benign results, with no obvious indicators that it was malicious.
Infection Chain
Once a victim downloads and launches the trojanized MCP server via its ZIP archive, the infection proceeds through a straightforward chain:
- An obfuscated Lua script executes and drops SmartLoader
- SmartLoader deploys StealC, a widely-used infostealer
- StealC harvests credentials, browser passwords, and cryptocurrency wallet data
The stolen data provides attackers with the materials needed for follow-on intrusions — cloud account access, API keys, and production system credentials from developer machines represent significantly higher-value targets than typical consumer data.
AI Tooling as an Attack Surface
SmartLoader's evolution mirrors a broader trend. The campaign previously relied on AI-generated lures disguised as game cheats and cracked software on GitHub. By pivoting to trojanized MCP servers — tools that connect AI assistants to external data sources — the operators are exploiting a new attack surface where security review processes haven't caught up with adoption speed.
This is the second major incident involving poisoned AI developer tooling in recent days, following the discovery of infostealers targeting OpenClaw AI agent configuration files and gateway tokens.
Defender Recommendations
- Inventory all installed MCP servers and verify their origin against official sources
- Establish formal security review processes before installing any MCP server
- Verify GitHub repository legitimacy — check contributor history, account age, and whether the original author is present
- Monitor for suspicious egress traffic and unexpected persistence mechanisms following MCP server installation
- Treat MCP registries with the same caution as npm or PyPI — community registries are not curated and can be poisoned
