Key Findings

• SmartLoader hackers cloned a legitimate Oura MCP (Model Context Protocol) server and built a deceptive infrastructure of fake forks and contributors to make the project appear credible.

• The trojanized version of the Oura MCP server delivers the StealC information stealer, targeting developer credentials, browser passwords, and cryptocurrency wallets.

• This campaign signals a significant shift in the threat landscape, with traditional supply chain attackers now pivoting to target the emerging MCP ecosystem.

• The attackers spent months building a fake GitHub ecosystem to manufacture trust, creating a network of AI-generated personas to make the project appear popular and legitimate.

• Once credibility was established, the attackers launched a separate repository containing the malicious payload and submitted it to public MCP registries.

• The campaign leverages the trust and reputation associated with the Oura MCP server to lure unsuspecting developers into downloading the trojanized version.

Background

The Oura MCP Server is a project created by an OpenAI engineer that connects AI assistants to Oura Ring health data. It was targeted by the SmartLoader group, known for spreading info-stealers through fake installers, as the project's developer-focused tools were seen as an attractive attack vector.

Attack Methodology

1. The attackers cloned the legitimate Oura MCP Server project and created a network of fake GitHub accounts to simulate community interest and credibility.

2. They forked the original project under these accounts, making it appear popular and widely used.

3. The main account, YuzeHao2023, created the initial clean fork, while four additional accounts (yzhao112, punkpeye, dvlan26, and halamji) followed suit.

4. The fake accounts exhibited characteristics consistent with AI-generated personas, such as recent creation dates, similar activity patterns, and concentrated commits.

5. Once the fake ecosystem was established, the attackers launched a separate repository containing the trojanized version of the Oura MCP Server, deliberately excluding the original author.

6. The malicious package was then submitted to public MCP registries, ensuring that developers searching for Oura integrations would unknowingly download the infected version.

Malware Analysis

The trojanized Oura MCP Server delivers the StealC information stealer, which is designed to steal sensitive data such as developer credentials, browser passwords, and cryptocurrency wallets. The malware uses techniques like LuaJIT, heavy virtual machine obfuscation, and scheduled tasks disguised as Realtek drivers to evade detection.

Implications and Recommendations

• The SmartLoader campaign against the MCP ecosystem serves as a wake-up call for security leaders, as threat actors have shifted their focus from targeting opportunistic malware users to compromising developer supply chains.

• As AI assistants become integral to enterprise workflows, the MCP servers that extend their capabilities become a critical attack surface that organizations must secure.

• Recommendations include inventorying installed MCP servers, establishing a formal security review process, verifying the origin of MCP servers, and monitoring for suspicious activity.

• The evolution of the SmartLoader campaign highlights the need for stronger vetting of AI tooling and MCP servers to protect against supply chain compromise.

Sources

• https://securityaffairs.com/188135/ai/smartloader-hackers-clone-oura-mcp-project-to-spread-stealc-malware.html

• https://thehackernews.com/2026/02/smartloader-attack-uses-trojanized-oura.html

• https://www.linkedin.com/posts/dlross_smartloader-hackers-clone-oura-mcp-project-activity-7429653407554203648-E634