- Threat actors distributed a trojanized Oura Ring health data server to deploy the StealC information stealer.
- The sophisticated campaign used fake GitHub accounts and forked repositories to build false credibility over months.
- Attackers targeted developers’ systems, which are high-value for sensitive data like API keys and cryptocurrency wallets.
- The malicious MCP server was submitted to a legitimate public registry where it remains listed.
- Organizations are advised to formally review and verify the origin of AI tooling before installation.
Cybersecurity researchers revealed a new SmartLoader campaign on Feb 17, 2026, which uses a weaponized version of an Oura Ring health data server to steal cryptocurrency wallets and credentials. The attackers cloned a legitimate Oura Model Context Protocol (MCP) server to build deceptive infrastructure and manufacture credibility, according to a report from Straiker’s AI Research (STAR) Labs.
SmartLoader is a malware loader first highlighted in early 2024, known for distribution via fake GitHub repositories containing AI-generated lures. This method previously disguised repositories as game cheats, cracked software, and cryptocurrency utilities to coax victims.
However, the latest findings highlight a new AI twist involving bogus GitHub accounts and repositories. Consequently, the threat actors submitted the trojanized server to legitimate MCP registries like MCP Market, where it is still listed.
This patient approach invested months in building credibility before deploying the final payload. The attack unfolded over four distinct stages to create a convincing facade.
Firstly, the actors created at least five fake GitHub accounts to build a collection of seemingly legitimate repository forks. They then created another Oura MCP server repository containing the malicious payload under a new account.
Next, they added the fake accounts as “contributors” to lend credibility while excluding the original author. Finally, they submitted the trojanized server to the public MCP Market directory for discovery.
Once executed, an obfuscated Lua script drops SmartLoader, which then deploys the StealC infostealer. This evolution marks a significant shift from targeting users of pirated software to directly attacking developers.
Developers’ systems are high-value targets because they often contain sensitive data like API keys and cloud credentials. Consequently, the stolen information could be abused to fuel follow-on intrusions.
As a mitigation, organizations should inventory installed MCP servers and establish a formal security review. Straiker stated, “This campaign exposes fundamental weaknesses in how organizations evaluate AI tooling.”
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
