In order to distribute the information stealer StealC, cybersecurity researchers have revealed details of a new SmartLoader campaign that uses a trojanized version of a Model Context Protocol (MCP) server connected to Oura Health This article explores smartloader malware. . The ultimate goal is to use the Oura MCP server that has been trojanized to distribute the StealC infostealer, which enables the threat actors to obtain login credentials, browser passwords, and cryptocurrency wallet data.

Initially identified by OALABS Research in early 2024, SmartLoader is a malware loader that is known to be disseminated through phony GitHub repositories that use artificial intelligence (AI)-generated lures to appear authentic.

According to a March 2025 Trend Micro analysis, these repositories impersonate game cheats, cracked software, and cryptocurrency utilities. Usually, they entice victims to download ZIP files that contain SmartLoader by offering them free or unauthorized functionality. In order to serve trojanized MCP servers and submit them to reputable MCP registries such as MCP Market, threat actors are constructing a network of fake GitHub accounts and repositories, according to the most recent Straiker findings.

The MCP directory still has the MCP server listed. The goal is to use the reputation and trust that come with services to trick unwary users into downloading malware by weaponizing platforms like GitHub and contaminating MCP registries.

"Unlike opportunistic malware campaigns that prioritize speed and volume, SmartLoader invested months building credibility before deploying their payload," the company stated. "The threat actor's understanding that developer trust takes time to manufacture and their willingness to invest that time for access to high-value targets are demonstrated by this patient, methodical approach." At least five phony GitHub accounts (YuzeHao2023, punkpeye, dvlan26, halamji, and yzhao112) were created in order to construct a collection of ostensibly authentic repository forks of the Oura MCP server.

The attack basically took place in four stages.

made a second The malicious payload is located in the Oura MCP server repository under the new account "SiddhiBagul." purposefully left the original author off of contributor lists while adding the recently made phony accounts as "contributors" to give the appearance of legitimacy. submitted the compromised server to the MCP Market.

The rogue server would be listed among other safe options for users who search for the Oura MCP server on the registry. After being launched through a ZIP archive, it causes an obfuscated Lua script to run, which drops SmartLoader before deploying StealC.

Since developers' systems frequently hold sensitive information like API keys, cloud credentials, cryptocurrency wallets, and access to production systems, they have become high-value targets, as evidenced by the SmartLoader campaign's evolution from targeting users searching for pirated software. Subsequent intrusions could be fueled by the misuse of the stolen data. Organizations are advised to inventory installed MCP servers, conduct a formal security review prior to installation, confirm the MCP servers' origin, and keep an eye out for questionable egress traffic and persistence mechanisms as ways to counteract the threat.

According to Straiker, "this campaign exposes fundamental weaknesses in how organizations evaluate AI tooling." "Security teams and developers must apply out-of-date trust heuristics to a new attack surface for SmartLoader to succeed."