Cybersecurity experts have unveiled a sophisticated SmartLoader campaign, which involves the distribution of a compromised Model Context Protocol (MCP) server linked to Oura Health. This server is used to deploy a data-stealing malware known as StealC.
Trojanized Oura MCP Server
According to Straiker’s AI Research (STAR) Labs, threat actors replicated a genuine Oura MCP Server, an application that integrates AI assistants with Oura Ring health data, to build a fake infrastructure. This includes creating counterfeit forks and contributors to lend an air of credibility. The primary objective is to use this trojanized server to distribute StealC, enabling the theft of credentials, browser passwords, and cryptocurrency wallet data.
SmartLoader was first identified by OALABS Research in early 2024. It is a malware loader spread through counterfeit GitHub repositories that use AI-generated lures to appear legitimate. Trend Micro’s March 2025 analysis indicated that these repositories masquerade as game cheats, cracked software, and cryptocurrency utilities, enticing victims with the promise of free or unauthorized features, leading to the download of ZIP archives that install SmartLoader.
Exploiting Trust in Digital Platforms
The recent findings by Straiker reveal a novel AI approach where cybercriminals create fake GitHub accounts and repositories to distribute trojanized MCP servers, subsequently submitting them to legitimate MCP registries like MCP Market. This server remains listed among legitimate options in the MCP directory. This strategy aims to exploit the trust and reputation associated with these platforms to deceive users into downloading malware.
Unlike other malware operations that prioritize speed, SmartLoader has invested considerable time in building trust before executing their attack. This calculated and patient approach shows the attackers’ understanding of the need to cultivate developer trust over time, targeting valuable systems containing sensitive data.
Staged Attack Strategy
The attack unfolded in four stages: creating at least five fake GitHub accounts to fork the Oura MCP server, establishing a new repository with the malicious payload under a new account, adding fake contributors to enhance credibility, and submitting the compromised server to the MCP Market.
Consequently, users searching for the Oura MCP server may encounter the rogue version among legitimate alternatives. Once executed from a ZIP archive, an obfuscated Lua script runs SmartLoader, which subsequently deploys StealC. This campaign marks a shift from targeting users seeking pirated software to targeting developers, who often possess sensitive data such as API keys, cloud credentials, and access to production systems.
Preventative Measures and Future Outlook
Organizations are advised to inventory installed MCP servers, implement formal security reviews before installation, verify the source of MCP servers, and monitor for suspicious activity. This campaign highlights vulnerabilities in organizational evaluations of AI tools. SmartLoader’s success hinges on security teams and developers relying on outdated trust heuristics in this new threat landscape.
