SmartLoader trojanized Oura MCP Server delivery of StealC
Malware Activity
Summary
Hide ▲
Show ▼
The SmartLoader operation is now distributing a trojanized Oura MCP Server to drop StealC, creating a supply-chain path to steal developer secrets. The rogue package is built to look credible through fake GitHub forks and contributors, then pushed into MCP Market. Once opened as a ZIP archive, it runs an obfuscated Lua script that loads the malware chain. The result is theft of credentials, browser passwords, and cryptocurrency wallet data, with possible follow-on intrusion from exposed developer access.
Related Happenings
Rollup polyfill npm package malware activity for remote access and data theft
Malware Activity
H score16
First: 03.07.2026 19:07
Last: 03.07.2026 19:07
Sources 1
About this happening:
**Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
Rollup polyfill npm package malware activity for remote access and data theft
Malware ActivityAbout this happening: **Malicious npm packages** disguised as **Rollup polyfill tooling** are now delivering **remote-access and data-theft payloads** to developer workstations and build machines. The...
Microsoft AutoGen Studio AutoJack MCP WebSocket command execution security flaw
Vulnerability
H score33
First: 22.06.2026 20:28
Last: 22.06.2026 20:28
Sources 1
About this happening:
Microsoft’s **AutoJack** chain exposed **AutoGen Studio** to **arbitrary command execution** for developers building from the main GitHub branch before the hardening commit.
Microsoft AutoGen Studio AutoJack MCP WebSocket command execution security flaw
VulnerabilityAbout this happening: Microsoft’s **AutoJack** chain exposed **AutoGen Studio** to **arbitrary command execution** for developers building from the main GitHub branch before the hardening commit.
Rust-based clipboard hijacker spreading via fake crypto tools
Malware Activity
H score13
First: 18.06.2026 18:00
Last: 18.06.2026 18:00
Sources 1
About this happening:
A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...
Rust-based clipboard hijacker spreading via fake crypto tools
Malware ActivityAbout this happening: A **Rust-based clipboard hijacker** is spreading through fake crypto tools and silently replacing copied wallet addresses, putting **Windows** and **macOS** users at risk of theft...
AUR package-hijacking campaign delivering atomic-lockfile
Campaign
H score11
First: 12.06.2026 20:03
Last: 12.06.2026 20:03
Sources 1
About this happening:
**AUR package-hijacking campaign** is abusing **more than 400** compromised **Arch User Repository (AUR)** packages to deliver **atomic-lockfile**, turning the **AUR** build path...
AUR package-hijacking campaign delivering atomic-lockfile
CampaignAbout this happening: **AUR package-hijacking campaign** is abusing **more than 400** compromised **Arch User Repository (AUR)** packages to deliver **atomic-lockfile**, turning the **AUR** build path...
Atomic-lockfile rootkit-infostealer distribution through AUR packages
Malware Activity
H score3
First: 12.06.2026 20:03
Last: 12.06.2026 20:03
Sources 1
About this happening:
**AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...
Atomic-lockfile rootkit-infostealer distribution through AUR packages
Malware ActivityAbout this happening: **AUR packages** are distributing the **atomic-lockfile** **Linux rootkit and infostealer** through compromised build scripts, with **more than 400 packages** reported and the **o...
Timeline
-
17.02.2026 14:42 2 articles · 4mo ago
SmartLoader campaign uses a trojanized Oura MCP Server
Initial DisclosureSmartLoader is used in a campaign that clones a legitimate Oura MCP Server associated with Oura Health, builds credibility with fake GitHub forks and contributors, and submits a rogue repository to MCP Market so developers searching for the server can download a malicious ZIP archive. When launched, the archive runs an obfuscated Lua script that drops SmartLoader and then deploys StealC, enabling theft of credentials, browser passwords, and cryptocurrency wallet data from developer systems.
Show sources
- SmartLoader Attack Uses Trojanized Oura MCP Server to Deploy StealC Infostealer — thehackernews.com — 17.02.2026 14:42
- SmartLoader Attack Uses Trojanized Oura MCP Server to Deploy StealC Infostealer — thehackernews.com — 17.02.2026 14:42