SmartLoader Campaign Uses Trojanized Oura MCP Server to Deploy StealC Infostealer

Timeline

1. 17.02.2026 14:42 1 articles · 10h ago

   SmartLoader Campaign Uses Trojanized Oura MCP Server to Deploy StealC Infostealer

   A new SmartLoader campaign involves distributing a trojanized version of the Oura Model Context Protocol (MCP) server to deliver the StealC infostealer. The attackers cloned the legitimate Oura MCP Server, created fake GitHub repositories and contributors to build credibility, and submitted the trojanized server to MCP registries. The campaign targets developers, stealing credentials, browser passwords, and cryptocurrency wallet data. The attack unfolded over four stages, involving the creation of fake GitHub accounts, repositories, and contributors, followed by submission to MCP Market. The trojanized server executes an obfuscated Lua script that drops SmartLoader, which then deploys StealC. The evolution of SmartLoader indicates a shift towards targeting developers, whose systems contain sensitive data like API keys and cloud credentials.

   Show sources

   • SmartLoader Attack Uses Trojanized Oura MCP Server to Deploy StealC Infostealer — thehackernews.com — 17.02.2026 14:42

   Open in new tab

Information Snippets

• SmartLoader campaign distributes trojanized Oura MCP server to deliver StealC infostealer.

  First reported: 17.02.2026 14:42
  1 source, 1 article
  Show sources

  • SmartLoader Attack Uses Trojanized Oura MCP Server to Deploy StealC Infostealer — thehackernews.com — 17.02.2026 14:42

• Attackers cloned legitimate Oura MCP Server and created fake GitHub repositories and contributors to build credibility.

  First reported: 17.02.2026 14:42
  1 source, 1 article
  Show sources

  • SmartLoader Attack Uses Trojanized Oura MCP Server to Deploy StealC Infostealer — thehackernews.com — 17.02.2026 14:42

• Trojanized server was submitted to MCP registries like MCP Market.

  First reported: 17.02.2026 14:42
  1 source, 1 article
  Show sources

  • SmartLoader Attack Uses Trojanized Oura MCP Server to Deploy StealC Infostealer — thehackernews.com — 17.02.2026 14:42

• Attack unfolded in four stages: creating fake GitHub accounts, repositories, contributors, and submitting the trojanized server.

  First reported: 17.02.2026 14:42
  1 source, 1 article
  Show sources

  • SmartLoader Attack Uses Trojanized Oura MCP Server to Deploy StealC Infostealer — thehackernews.com — 17.02.2026 14:42

• Trojanized server executes obfuscated Lua script that drops SmartLoader, which deploys StealC.

  First reported: 17.02.2026 14:42
  1 source, 1 article
  Show sources

  • SmartLoader Attack Uses Trojanized Oura MCP Server to Deploy StealC Infostealer — thehackernews.com — 17.02.2026 14:42

• Campaign targets developers, stealing credentials, browser passwords, and cryptocurrency wallet data.

  First reported: 17.02.2026 14:42
  1 source, 1 article
  Show sources

  • SmartLoader Attack Uses Trojanized Oura MCP Server to Deploy StealC Infostealer — thehackernews.com — 17.02.2026 14:42

• Mitigations include inventorying installed MCP servers, formal security reviews, verifying server origins, and monitoring for suspicious traffic.

  First reported: 17.02.2026 14:42
  1 source, 1 article
  Show sources

  • SmartLoader Attack Uses Trojanized Oura MCP Server to Deploy StealC Infostealer — thehackernews.com — 17.02.2026 14:42