Straiker STAR Labs — SmartLoader poisons an Oura MCP server
AI relevance: MCP servers are the tool layer for AI agents, and this campaign weaponized a trojanized MCP package to turn developer tool installs into malware delivery.
- Straiker STAR Labs reports a SmartLoader supply-chain campaign that cloned a legitimate Oura Ring MCP server and embedded a StealC infostealer payload.
- Attackers built a network of fake GitHub accounts and forks to manufacture credibility and mimic community activity.
- The trojanized server was submitted to MCP registries (including MCP Market), making it discoverable to developers searching for Oura integrations.
- The payload chain uses an obfuscated LuaJIT script that drops SmartLoader, then deploys StealC to steal browser passwords, session cookies, and crypto wallets.
- STRAIKER notes the shift from opportunistic pirated-software lures to developer-focused supply-chain attacks targeting AI tooling ecosystems.
- Trust signals like forks, contributor lists, and GitHub activity are now easily fabricated, undermining common package vetting heuristics.
- The campaign shows MCP registries are becoming high-value malware distribution points as agent tooling adoption accelerates.
Why it matters
- MCP servers run on developer machines and CI pipelines with privileged credentials; a compromised tool turns AI workflows into credential theft pipelines.
- Registry poisoning creates a scalable path to compromise organizations that are rapidly adopting agent tooling without formal security review.
- This is a live example of how supply-chain attacks are pivoting into AI agent ecosystems rather than just traditional libraries.
What to do
- Inventory installed MCP servers and flag any community or forked packages without verified provenance.
- Require registry provenance checks (author verification, signed releases, reproducible builds) before enabling tools in production agents.
- Monitor developer endpoints for unusual LuaJIT execution, scheduled task creation, or stealthy persistence tied to MCP installs.
- Gate MCP tool installs through security review or allowlists; treat them like CI/CD plugins or browser extensions.