A SmartLoader supply chain campaign trojanized an Oura Model Context Protocol server to deliver the StealC infostealer, allowing theft of credentials and cryptocurrency wallet data, a report by Straiker’s AI Research (STAR) Labs said. The campaign used at least five fake GitHub accounts and submitted the rogue server to the MCP registry.
KEY FACTS
- Incident Trojanized Oura Model Context Protocol server used to deliver StealC via SmartLoader
- Method Fake GitHub accounts and contributor spoofing to build credibility
- Technique Obfuscated Lua in ZIP drops SmartLoader then StealC
- Registry Rogue server submitted to an MCP registry and listed among benign entries
The campaign unfolded in multiple staged steps. Attackers created at least five fake GitHub accounts named YuzeHao2023, punkpeye, dvlan26, halamji and yzhao112 to host forks of a legitimate Oura MCP server and then published a separate repository that contained the malicious payload.
Fake contributor entries were added to the project to lend a veneer of legitimacy while the original author was omitted from contributor lists. The compromised package was submitted to the registry and it remains listed on the MCP Market listing.
When launched from a ZIP archive the package runs an obfuscated Lua script that drops SmartLoader. SmartLoader then deploys the StealC infostealer which targets browser credentials, saved passwords and cryptocurrency wallet files.
The campaign shifts focus from users seeking pirated software to developers who hold high value artifacts. Stolen API keys, cloud credentials and wallet data can enable follow on intrusions.
WHY IT MATTERS
The incident shows developer tooling and registry listings can be weaponized as a supply chain vector. Organizations should treat third party MCP servers as potential risk and apply security reviews before installation.