Researchers have uncovered a new SmartLoader campaign that distributes a compromised version of an Oura Health Model Context Protocol server to infect users with the StealC information stealer. By creating a deceptive network of fake GitHub accounts and repositories, threat actors are leveraging the growing popularity of AI integration tools to steal sensitive data and cryptocurrency credentials.

Security analysts recently identified a sophisticated operation where attackers cloned a legitimate Oura Health server designed to link AI assistants with personal health data. To make the malicious project appear authentic, the threat actors built a complex infrastructure of fake forks and simulated contributor activity. This manufactured credibility is intended to trick developers and AI enthusiasts into trusting the repository as a reliable source for health data integration.

The primary objective of this campaign is the deployment of StealC, a potent malware variant designed for broad data exfiltration. Once the trojanized server is executed on a victim's machine, it harvests browser passwords, login credentials, and information from various cryptocurrency wallets. This shift toward targeting AI-related protocols suggests that attackers are actively moving to exploit the modern software stacks used by early adopters of emerging technology.

The delivery mechanism relies on SmartLoader, a malware loader that first surfaced in early 2024 and has a history of spreading through fraudulent GitHub repositories. Previous iterations of this threat used AI-generated content to create convincing lures, often masquerading as cracked software or gaming cheats. By presenting a polished and seemingly professional front, the loader successfully bypasses the initial skepticism of many users who are searching for specific digital utilities.

In this updated approach, the attackers have integrated their malicious code into the Model Context Protocol ecosystem by submitting trojanized servers to public registries like MCP Market. These registries serve as central hubs for developers to find tools for their AI projects, and the inclusion of malicious entries allows the threat to persist on reputable directories. This poisoning of the supply chain enables the malware to reach a wider audience by riding on the reputation of established platforms.

Ultimately, the campaign illustrates how cybercriminals are weaponizing the trust associated with legitimate developer tools and community platforms. By blending traditional social engineering with modern AI lures and repository manipulation, they create a deceptive environment that targets a specific niche of tech-savvy users. The continued presence of these malicious servers on public directories highlights the ongoing challenge of securing the rapidly expanding landscape of AI integration software.

Source: SmartLoader Attack Uses Trojanized Oura Server To Deploy StealC Infostealer