SmartLoader Hackers Clone Oura MCP Project to Spread StealC Malware
SmartLoader Hackers Clone Oura MCP Project to Spread StealC Malware 🚨
Hackers have devised a cunning scheme using a fake Oura MCP server to trick users into downloading malware that installs the StealC info-stealer. The team at Straiker’s AI Research (STAR) Labs has uncovered a SmartLoader campaign where attackers cloned a legitimate MCP server linked to Oura Health to disseminate the StealC information stealer.
The fraudulent project appeared credible, complete with bogus forks and contributors, designed to deceive users into downloading a trojanized version. Once installed, it deployed malware aimed at stealing sensitive data. According to the report published by Straiker, “Our investigation revealed that the threat actors cloned a legitimate Oura MCP Server—a tool that connects AI assistants to Oura Ring health data—and built a deceptive infrastructure of fake forks and contributors to manufacture credibility. The trojanized version of the Oura MCP server delivers the StealC info-stealer, targeting developer credentials, browser passwords, and cryptocurrency wallets.”
This campaign marks a significant shift in the threat landscape: traditional threat actors who have long targeted software supply chains are now pivoting to MCP ecosystems, employing their proven tactics and operational sophistication to exploit this emerging attack surface. Researchers indicate that the SmartLoader operators spent months constructing a fake GitHub ecosystem to make their malware appear trustworthy. They initially selected a popular developer tool: the Oura MCP Server, a project created by an OpenAI engineer that connects AI assistants to Oura Ring data.
Next, the attackers created a network of fake GitHub accounts, forking the legitimate project to simulate real community interest. The main account, YuzeHao2023, created the initial clean fork: YuzeHao2023 MCP-oura. Four additional accounts then forked the same project to enhance its appearance of popularity and legitimacy:
The report continues, “These accounts exhibit characteristics consistent with AI-generated personas: recent creation dates, similar activity patterns, and commits concentrated in the same timeframe. The fake accounts also forked other projects from YuzeHao2023, creating a web of cross-references designed to make each account appear more established.”
Once credibility was established, they launched a separate repository containing a trojanized version, deliberately excluding the original author to avoid scrutiny. Finally, they submitted the malicious package to public MCP registries, so developers searching for Oura integrations would unknowingly download the infected version.
SmartLoader, a malware group known for spreading info-stealers through fake installers, has shifted tactics from targeting piracy users to compromising developers via the supply chain. The malware utilized LuaJIT, heavy virtual machine obfuscation, scheduled tasks disguised as Realtek drivers, and ultimately deployed StealC to steal passwords, crypto wallets, API keys, and cloud credentials. The infrastructure and techniques align with known SmartLoader patterns, with indicators pointing to operations based in China.
Security experts warn that developer environments are now prime targets and urge stronger vetting of AI tooling and MCP servers. The report concludes, “SmartLoader’s campaign against the MCP ecosystem should serve as a wake-up call for security leaders. Threat actors have moved beyond opportunistic malware distribution, and they are now investing in elaborate social engineering infrastructure to compromise developer supply chains.”
It further states, “As AI assistants become integral to enterprise workflows, the MCP servers that extend their capabilities become a critical attack surface. Organizations that fail to secure this vector expose themselves to credential theft, data exfiltration, and supply chain compromise.”