Find notable cyber news and cases, enriched with sources, timelines, and signals.

SmartLoader trojanized Oura MCP Server delivery of StealC

Malware Activity
First reported
Last updated
Happening score
H score 4
1 unique sources, 1 articles

Summary

Hide ▲

The SmartLoader operation is now distributing a trojanized Oura MCP Server to drop StealC, creating a supply-chain path to steal developer secrets. The rogue package is built to look credible through fake GitHub forks and contributors, then pushed into MCP Market. Once opened as a ZIP archive, it runs an obfuscated Lua script that loads the malware chain. The result is theft of credentials, browser passwords, and cryptocurrency wallet data, with possible follow-on intrusion from exposed developer access.

Related Happenings

Rollup polyfill npm package malware activity for remote access and data theft

Malware Activity
H score16 First: 03.07.2026 19:07 Last: 03.07.2026 19:07 Sources 1

About this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...

Microsoft AutoGen Studio AutoJack MCP WebSocket command execution security flaw

Vulnerability
H score33 First: 22.06.2026 20:28 Last: 22.06.2026 20:28 Sources 1

About this happening: Microsoft’s **AutoJack** chain exposed **AutoGen Studio** to **arbitrary command execution** for developers building from the main GitHub branch before the hardening commit.

Rust-based clipboard hijacker spreading via fake crypto tools

Malware Activity
H score13 First: 18.06.2026 18:00 Last: 18.06.2026 18:00 Sources 1

About this happening: A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...

AUR package-hijacking campaign delivering atomic-lockfile

Campaign
H score11 First: 12.06.2026 20:03 Last: 12.06.2026 20:03 Sources 1

About this happening: **AUR package-hijacking campaign** is abusing **more than 400** compromised **Arch User Repository (AUR)** packages to deliver **atomic-lockfile**, turning the **AUR** build path...

Atomic-lockfile rootkit-infostealer distribution through AUR packages

Malware Activity
H score3 First: 12.06.2026 20:03 Last: 12.06.2026 20:03 Sources 1

About this happening: **AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...

Timeline

  1. 17.02.2026 14:42 2 articles · 4mo ago

    SmartLoader campaign uses a trojanized Oura MCP Server

    Initial Disclosure

    SmartLoader is used in a campaign that clones a legitimate Oura MCP Server associated with Oura Health, builds credibility with fake GitHub forks and contributors, and submits a rogue repository to MCP Market so developers searching for the server can download a malicious ZIP archive. When launched, the archive runs an obfuscated Lua script that drops SmartLoader and then deploys StealC, enabling theft of credentials, browser passwords, and cryptocurrency wallet data from developer systems.

    Show sources