Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
SmartLoader Malware Exploits Oura Server for Data Theft

SmartLoader Malware Exploits Oura Server for Data Theft

Posted on February 17, 2026 By CWS

Cybersecurity experts have unveiled a sophisticated SmartLoader campaign, which involves the distribution of a compromised Model Context Protocol (MCP) server linked to Oura Health. This server is used to deploy a data-stealing malware known as StealC.

Trojanized Oura MCP Server

According to Straiker’s AI Research (STAR) Labs, threat actors replicated a genuine Oura MCP Server, an application that integrates AI assistants with Oura Ring health data, to build a fake infrastructure. This includes creating counterfeit forks and contributors to lend an air of credibility. The primary objective is to use this trojanized server to distribute StealC, enabling the theft of credentials, browser passwords, and cryptocurrency wallet data.

SmartLoader was first identified by OALABS Research in early 2024. It is a malware loader spread through counterfeit GitHub repositories that use AI-generated lures to appear legitimate. Trend Micro’s March 2025 analysis indicated that these repositories masquerade as game cheats, cracked software, and cryptocurrency utilities, enticing victims with the promise of free or unauthorized features, leading to the download of ZIP archives that install SmartLoader.

Exploiting Trust in Digital Platforms

The recent findings by Straiker reveal a novel AI approach where cybercriminals create fake GitHub accounts and repositories to distribute trojanized MCP servers, subsequently submitting them to legitimate MCP registries like MCP Market. This server remains listed among legitimate options in the MCP directory. This strategy aims to exploit the trust and reputation associated with these platforms to deceive users into downloading malware.

Unlike other malware operations that prioritize speed, SmartLoader has invested considerable time in building trust before executing their attack. This calculated and patient approach shows the attackers’ understanding of the need to cultivate developer trust over time, targeting valuable systems containing sensitive data.

Staged Attack Strategy

The attack unfolded in four stages: creating at least five fake GitHub accounts to fork the Oura MCP server, establishing a new repository with the malicious payload under a new account, adding fake contributors to enhance credibility, and submitting the compromised server to the MCP Market.

Consequently, users searching for the Oura MCP server may encounter the rogue version among legitimate alternatives. Once executed from a ZIP archive, an obfuscated Lua script runs SmartLoader, which subsequently deploys StealC. This campaign marks a shift from targeting users seeking pirated software to targeting developers, who often possess sensitive data such as API keys, cloud credentials, and access to production systems.

Preventative Measures and Future Outlook

Organizations are advised to inventory installed MCP servers, implement formal security reviews before installation, verify the source of MCP servers, and monitor for suspicious activity. This campaign highlights vulnerabilities in organizational evaluations of AI tools. SmartLoader’s success hinges on security teams and developers relying on outdated trust heuristics in this new threat landscape.

The Hacker News Tags:AI security, cryptocurrency wallets, Cybersecurity, data theft, GitHub, malware attack, MCP Market, Oura MCP server, SmartLoader, StealC infostealer

Post navigation

Previous Post: Polish Police Arrest Man Linked to Phobos Ransomware
Next Post: Securing Industrial Control Systems: Challenges and Future

Related Posts

Lithuania Strengthens Cybersecurity Against AI Fraud Lithuania Strengthens Cybersecurity Against AI Fraud The Hacker News
New n8n Vulnerability (9.9 CVSS) Lets Authenticated Users Execute System Commands New n8n Vulnerability (9.9 CVSS) Lets Authenticated Users Execute System Commands The Hacker News
Red Hat OpenShift AI Flaw Exposes Hybrid Cloud Infrastructure to Full Takeover Red Hat OpenShift AI Flaw Exposes Hybrid Cloud Infrastructure to Full Takeover The Hacker News
SaaS Breaches Start with Tokens SaaS Breaches Start with Tokens The Hacker News
Threat Actors Exploit Vulnerability to Access Next.js Hosts Threat Actors Exploit Vulnerability to Access Next.js Hosts The Hacker News
Google Patches Chrome Zero-Day CVE-2025-10585 as Active V8 Exploit Threatens Millions Google Patches Chrome Zero-Day CVE-2025-10585 as Active V8 Exploit Threatens Millions The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • India Cracks Down on Apps Disabling E-Rickshaws
  • Hackers Exploit SEO to Mislead AI with Malicious Codes
  • North Korea-Linked npm Packages Pose Threat to Developers
  • Urgent Update Advised for Apache ActiveMQ Vulnerabilities
  • Major Cybersecurity Incidents: Canadian Hacker, ATM Fraud

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • India Cracks Down on Apps Disabling E-Rickshaws
  • Hackers Exploit SEO to Mislead AI with Malicious Codes
  • North Korea-Linked npm Packages Pose Threat to Developers
  • Urgent Update Advised for Apache ActiveMQ Vulnerabilities
  • Major Cybersecurity Incidents: Canadian Hacker, ATM Fraud

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark