CYBERSECURITY researchers have detailed a SmartLoader campaign that distributes a trojanized version of the Oura Health Model Context Protocol (MCP) server to deliver the StealC information stealer. According to Straiker's AI Research (STAR) Labs, threat actors cloned a legitimate Oura MCP Server and created a deceptive infrastructure of fake forks and contributors to build credibility, with the aim of delivering StealC to steal credentials, browser passwords, and data from cryptocurrency wallets.
The campaign unfolds in four stages: creating at least five fake GitHub accounts to generate legitimate-looking repository forks of the Oura MCP server, spawning another malicious MCP repository under a new account, adding the fake accounts as contributors while excluding the original author, and submitting the trojanized server to the MCP Market, where the rogue server is still listed. Once launched via a ZIP archive, an obfuscated Lua script drops SmartLoader and deploys StealC.
Mitigations include inventorying MCP servers, security reviews before installation, verifying origins, and monitoring for suspicious traffic and persistence mechanisms.