Hackers used a fake Oura MCP server to trick users into downloading malware that installs the StealC info-stealer. Straiker’s AI Research (STAR) Labs team uncovered a SmartLoader campaign in which attackers cloned a legitimate MCP server linked to Oura Health to spread the StealC information stealer. The fake project appeared credible, complete with bogus forks […] Hackers used a fake Oura MCP server to trick users into downloading malware that installs the StealC info-stealer. Straiker’s AI Research (STAR) Labs team uncovered a SmartLoader campaign in which attackers cloned a legitimate MCP server linked to Oura Health to spread the StealC information stealer. The fake project appeared credible, complete with bogus forks and contributors, to trick users into downloading a trojanized version. Once installed, it deployed malware designed to steal sensitive data. “Our investigation revealed the threat actors cloned a legitimate Oura MCP Server a tool that connects AI assistants to Oura Ring health data and built a deceptive infrastructure of fake forks and contributors to manufacture credibility. The trojanized version of the Oura MCP server delivers the StealC infostealer, targeting developer credentials, browser passwords, and cryptocurrency wallets.” reads the report published by Straiker. “This campaign signals a significant shift in the threat landscape: traditional threat actors who have long targeted software supply chains are now pivoting to MCP ecosystems, bringing their proven tactics and operational sophistication to this emerging attack surface.” Researchers say the SmartLoader operators spent months building a fake GitHub ecosystem to make their malware look trustworthy. They first chose a popular developer tool: the Oura MCP Server, a project created by an OpenAI engineer that connects AI assistants to Oura Ring data. The target was attractive because productivity-focused developers are likely to hold valuable credentials. Next, the attackers created a network of fake GitHub accounts, forking the legitimate project to simulate real community interest. The main account, YuzeHao2023, created the initial clean fork: https://github.com/YuzeHao2023/MCP-oura Four additional accounts then forked the same project to make it appear popular and legitimate: https://github.com/yzhao112/MCP-oura https://github.com/punkpeye/MCP-oura https://github.com/dvlan26/MCP-oura https://github.com/halamji/MCP-oura “These accounts exhibit characteristics consistent with AI-generated personas: recent creation dates, similar activity patterns, and commits concentrated in the same timeframe. The fake accounts also forked other projects from YuzeHao2023, creating a web of cross-references designed to make each account appear more established.” continues the report. “Any organization deploying MCP-enabled AI tools is vulnerable to supply chain compromise” The researchers believe the accounts were AI-generated and cross-linked each other’s activity to appear established. Once credibility was built, they launched a separate repository containing a trojanized version, deliberately excluding the original author to avoid scrutiny. Finally, they submitted the malicious package to public MCP registries, so developers searching for Oura integrations would unknowingly download the infected version. SmartLoader, a malware group known for spreading info-stealers through fake installers, has shifted tactics from targeting piracy users to compromising developers via the supply chain. The malware used LuaJIT, heavy virtual machine obfuscation, scheduled tasks disguised as Realtek drivers, and ultimately deployed StealC to steal passwords, crypto wallets, API keys, and cloud credentials. The infrastructure and techniques match known SmartLoader patterns, with indicators pointing to China-based operations. Security experts warn that developer environments are now prime targets and urge stronger vetting of AI tooling and MCP servers. “SmartLoader’s campaign against the MCP ecosystem should serve as a wake-up call for security leaders. Threat actors have moved beyond opportunistic malware distribution and they are now investing in elaborate social engineering infrastructure to compromise developer supply chains.” concludes the report. “As AI assistants become integral to enterprise workflows, the MCP servers that extend their capabilities become a critical attack surface. Organizations that fail to secure this vector expose themselves to credential theft, data exfiltration, and supply chain compromise.” Follow me on Twitter: @securityaffairs and Facebook and Mastodon Pierluigi Paganini (SecurityAffairs hacking, malware)
Published: 2026-02-17T18:54:31