SmartLoader Gang Builds Fake GitHub Ecosystem to Spread StealC via Trojanised Oura MCP

A known cybercriminal operation has spent months building an elaborate fake GitHub ecosystem to poison the AI development supply chain. The SmartLoader gang, first identified in 2024 by OpenAnalysis, cloned a legitimate Oura Ring MCP server and created a network of fabricated repositories and contributors to distribute the StealC infostealer through official AI tool registries.

Straiker’s AI Research team published research showing the operation successfully infiltrated the Model Context Protocol registry with a trojanised version of software that connects AI assistants to Oura Ring health data. The attack represents a strategic shift from the group’s previous focus on users seeking pirated software to targeting high-value developer environments containing API keys, cloud credentials, and cryptocurrency wallets.

Five Fake Accounts, Three Months of Patience

The operation unfolded over four distinct phases. Attackers created at least five fake GitHub accounts — YuzeHao2023, punkpeye, dvlan26, halamji, and yzhao112 — and used them to build what appeared to be a legitimate community around the cloned Oura MCP server. They forked the original project multiple times, created cross-references between repositories, and generated commit activity designed to simulate genuine collaborative development.

The fake accounts exhibited characteristics consistent with AI-generated personas, according to researchers: recent creation dates, similar activity patterns, and commits concentrated within the same timeframe. “Unlike opportunistic malware campaigns that prioritise speed and volume, SmartLoader invested months building credibility before deploying their payload,” Straiker noted in its analysis.

After establishing this fake ecosystem, the group created a separate repository under the account “SiddhiBagul” containing the trojanised payload, deliberately excluding the original author to avoid detection. The malicious package was then submitted to public MCP registries, where developers searching for Oura integrations would find it listed alongside legitimate alternatives.

StealC Deployment Through LuaJIT Obfuscation

Once downloaded, the trojanised MCP server executes an obfuscated Lua script that drops the SmartLoader loader, which then deploys StealC. The malware employs multiple evasion techniques including virtual machine protection with 443 distinct states, string encoding through octal escape sequences, and chunked assembly that splits sensitive strings across variables only assembled at runtime.

StealC itself targets developer credentials, browser passwords, cryptocurrency wallet data, and API keys from cloud services. The malware uses scheduled tasks disguised as Realtek drivers for persistence and communicates with command-and-control servers using infrastructure that researchers assess has possible links to China-based operations.

A Supply Chain Gap Without Tooling

The success of this operation highlights a fundamental weakness in the emerging AI development ecosystem. “The MCP ecosystem lacks the security infrastructure that has developed around traditional package managers,” Straiker researchers noted. “There is no equivalent to npm audit, Dependabot, or Snyk for MCP servers.”

Traditional trust signals like GitHub stars, forks, and contributor counts proved inadequate when systematically fabricated. The attack succeeded precisely because it leveraged the same reputation mechanisms developers rely on to assess software legitimacy in established ecosystems — mechanisms that have no cryptographic basis and can be manufactured by patient adversaries.

This approach reflects a broader trend among cybercriminals who historically focused on opportunistic attacks through pirated software. As developers become higher-value targets due to their access to production systems and cloud infrastructure, groups like SmartLoader are investing more time in social engineering and supply chain positioning rather than purely technical exploits.

What Development Teams Should Do Now

Organisations deploying AI tools should immediately inventory all installed MCP servers and establish formal security review processes before adding new integrations. Verify the provenance of MCP servers by checking account creation dates, examining commit histories for suspicious patterns, and validating that contributor networks represent genuine development communities rather than coordinated clusters.

Monitor network traffic for suspicious egress communications and persistence mechanisms that could indicate compromise. The researchers recommend treating any MCP server with recent repository creation, limited genuine community engagement, or contributors with similar activity patterns as requiring additional scrutiny.

For development environments already using the compromised Oura MCP server, assume potential compromise and conduct incident response procedures including credential rotation, wallet security audits, and cloud access reviews. The sophistication of this campaign suggests other AI development tools may have been similarly compromised through patient supply chain positioning.

References

1. Straiker STAR Labs: SmartLoader Clones Oura Ring MCP
2. The Hacker News: SmartLoader Attack Uses Trojanised Oura MCP
3. Security Affairs: SmartLoader Hackers Clone Oura MCP Project
4. SOC Prime: SmartLoader Analysis and Detection

This post is also available in: Svenska

Related News

Iran’s Cyber Proxies Launch Multi-Vector Retaliation Against Western Networks

Iran's cyber offensive capability has shifted into high gear following joint US-Israeli military strikes in late February 2026. Multiple Iranian state-linked groups and hacktivist proxies…

March 10, 2026