The SmartLoader campaign represents a sophisticated supply chain attack leveraging the Model Context Protocol (MCP) ecosystem associated with Oura Health’s AI integration tools. Attackers cloned the legitimate Oura MCP server, a middleware connecting AI assistants to Oura Ring health data, and created multiple fake GitHub accounts and repositories to simulate legitimate forks and contributors. This elaborate setup was designed to build credibility over several months, culminating in the submission of a trojanized MCP server to the official MCP Market registry, where it remains listed. When users download and execute the trojanized MCP server—typically via a ZIP archive containing an obfuscated Lua script—it triggers the deployment of SmartLoader, a malware loader that subsequently installs the StealC infostealer. StealC is capable of harvesting sensitive information including user credentials, browser-stored passwords, and cryptocurrency wallet data. This campaign marks a shift from targeting general users seeking pirated software to focusing on developers, whose environments often contain high-value secrets such as API keys, cloud credentials, and access tokens. The attackers’ patient approach to building trust within the developer community and poisoning trusted registries highlights a new attack surface introduced by AI tooling ecosystems. The campaign exploits fundamental weaknesses in how organizations vet AI-related software components and underscores the risk of supply chain compromises in emerging AI integration platforms. Although no active exploits have been reported in the wild, the threat is significant due to the sensitive nature of the targeted data and the stealthy infection vector.

European organizations, particularly those involved in software development, AI integration, and health technology sectors, face significant risks from this campaign. The theft of credentials, API keys, and cryptocurrency wallet data can lead to unauthorized access to cloud environments, financial losses, and further lateral movement within networks. Organizations relying on Oura MCP servers or similar AI middleware may inadvertently introduce this trojanized component, compromising their development pipelines and production systems. The campaign’s focus on developers increases the likelihood of supply chain contamination, potentially affecting multiple projects and services downstream. Given the use of trusted platforms like GitHub and official MCP registries, detection and prevention are challenging, increasing the risk of prolonged undetected exposure. This threat could also undermine trust in AI tooling ecosystems and delay adoption of beneficial AI integrations. The potential for follow-on intrusions and data exfiltration poses a medium to high operational and reputational risk, especially for European companies handling sensitive health data or financial assets.

1. Conduct a comprehensive inventory of all installed MCP servers and AI integration tools within the organization to identify any unauthorized or trojanized components. 2. Implement a formal security review process for all MCP servers and AI-related software before installation, including verifying the source repository, contributor legitimacy, and code integrity. 3. Cross-check MCP server listings against official registries and maintain a whitelist of approved versions and sources. 4. Monitor network egress traffic for unusual or suspicious connections indicative of data exfiltration or command and control communication. 5. Deploy endpoint detection and response (EDR) solutions capable of detecting obfuscated scripts and unusual process behaviors associated with SmartLoader and StealC. 6. Educate developers and security teams about the risks of supply chain attacks in AI tooling and encourage skepticism of newly published repositories, especially those promising unauthorized or free functionality. 7. Use cryptographic verification (e.g., signed packages) where possible to ensure software authenticity. 8. Regularly update and patch development tools and dependencies to reduce exposure to known vulnerabilities. 9. Establish incident response plans specifically addressing supply chain compromises and credential theft scenarios. 10. Collaborate with MCP registry maintainers and GitHub to report and remove malicious repositories and accounts.