Cybersecurity researchers have revealed a new SmartLoader campaign that employs a compromised version of the Model Context Protocol (MCP) server associated with Oura Health to deliver an information-stealing malware known as StealC.
Details of the Attack
The threat actors behind this campaign cloned a legitimate Oura MCP server, a tool that connects AI assistants to health data from the Oura Ring. According to a report from Straiker’s AI Research (STAR) Labs, they constructed a deceptive infrastructure of fake contributors and repositories to enhance the perceived credibility of their malicious version.
Mechanics of the SmartLoader Campaign
SmartLoader, initially highlighted by OALABS Research in early 2024, is a malware loader distributed through fraudulent GitHub repositories. These repositories often feature AI-generated lures that mimic legitimate software, enticing users to download ZIP archives that ultimately deploy SmartLoader.
The latest findings indicate that the threat actors created a network of fake GitHub accounts and repositories to distribute the trojanized MCP servers. They submitted these to legitimate MCP registries, including the MCP Market, which remains a concern as it could mislead users searching for the genuine Oura MCP server.
Execution and Impact
Once the trojanized server is executed from a ZIP archive, it runs an obfuscated Lua script that drops SmartLoader, which subsequently deploys StealC. This malware is designed to steal sensitive information such as credentials, browser passwords, and cryptocurrency wallet data.
The evolution of the SmartLoader campaign signifies a strategic shift from targeting users seeking pirated software to focusing on developers, whose systems often contain high-value data like API keys and cloud credentials. The stolen information can facilitate further intrusions.
Mitigation Recommendations
To counter this threat, organizations are advised to conduct an inventory of installed MCP servers, implement formal security reviews prior to installation, verify the origins of MCP servers, and monitor for unusual outbound traffic and persistence mechanisms. Straiker emphasized that this campaign highlights significant vulnerabilities in how organizations assess AI tools, noting that the success of SmartLoader relies on outdated trust heuristics applied to new attack vectors.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
