ACCORDING to Straiker, the Straiker’s AI Research (STAR) Labs team uncovered a SmartLoader campaign in which attackers cloned a legitimate MCP server linked to Oura Health to spread the StealC information stealer. The fake project appeared credible, complete with bogus forks and contributors, to trick users into downloading a trojanized version, which then deployed malware designed to steal sensitive data.
Researchers say the SmartLoader operators spent months building a fake GitHub ecosystem to make their malware look trustworthy, including a main account, YuzeHao2023, and four additional forks to simulate popularity. The attackers created a network of fake GitHub accounts and submitted a trojanized package to public MCP registries so developers searching for Oura integrations would unknowingly download the infected version.
The malware uses LuaJIT, heavy VM obfuscation, and scheduled tasks disguised as Realtek drivers to deploy StealC, targeting developer credentials, browser passwords, cryptocurrency wallets and cloud credentials, with indicators pointing to China-based operations. The report warns that organisations deploying MCP-enabled AI tools are vulnerable to supply chain compromise as threat actors pivot to MCP ecosystems.