Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

SmartLoader trojanized Oura MCP Server delivery of StealC

Malware Activity
First reported
Last updated
Happening score
H score 22
1 unique sources, 1 articles

Summary

Hide ▲

The SmartLoader operation is now distributing a trojanized Oura MCP Server to drop StealC, creating a supply-chain path to steal developer secrets. The rogue package is built to look credible through fake GitHub forks and contributors, then pushed into MCP Market. Once opened as a ZIP archive, it runs an obfuscated Lua script that loads the malware chain. The result is theft of credentials, browser passwords, and cryptocurrency wallet data, with possible follow-on intrusion from exposed developer access.

Related Happenings

Malware-Slop malicious npm file-theft campaign

Campaign
First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: The **Malware-Slop** campaign is distributing a malicious **npm** package that steals local files from installers, creating an unauthorized data-transfer risk for users of **Anthr...

Open Happening

Mouse5212-super-formatter postinstall GitHub exfiltration package

Malware Activity
First: 27.05.2026 18:44 Last: 27.05.2026 18:44 Sources 1

About this happening: The **mouse5212-super-formatter** npm package is a **malicious infostealer** that can siphon files from **/mnt/user-data**, putting **Anthropic Claude** user data at risk of unaut...

Open Happening

TrapDoor trap-core.js credential-stealing package malware

Malware Activity
First: 25.05.2026 08:59 Last: 25.05.2026 08:59 Sources 1

About this happening: The **TrapDoor** package malware is spreading across **npm, PyPI, and Crates.io**, putting **developer secrets, cloud credentials, SSH keys, and crypto wallets** at risk. The malw...

Open Happening

Laravel Lang credential-stealer dropper delivered through malicious Composer packages

Malware Activity
First: 23.05.2026 23:48 Last: 23.05.2026 23:48 Sources 1

About this happening: A **malicious Composer payload** in **Laravel Lang** packages now threatens **Linux, macOS, and Windows** developers with credential theft. The injected `src/helpers.php` dropper...

Open Happening

Megalodon GitHub CI/CD supply-chain campaign

Campaign
First: 22.05.2026 14:55 Last: 22.05.2026 14:55 Sources 1

About this happening: The **Megalodon** campaign pushed **5,718 malicious commits** into **5,561 GitHub repositories** in about **six hours**, creating a broad **CI/CD secret-theft** risk across develo...

Open Happening

Timeline

  1. 17.02.2026 14:42 2 articles · 3mo ago

    SmartLoader campaign uses a trojanized Oura MCP Server

    Initial Disclosure

    SmartLoader is used in a campaign that clones a legitimate Oura MCP Server associated with Oura Health, builds credibility with fake GitHub forks and contributors, and submits a rogue repository to MCP Market so developers searching for the server can download a malicious ZIP archive. When launched, the archive runs an obfuscated Lua script that drops SmartLoader and then deploys StealC, enabling theft of credentials, browser passwords, and cryptocurrency wallet data from developer systems.

    Show sources
    Open in new tab