Your biometric data isn’t the only thing the Oura ring can connect to anymore—now, it might be the gateway for an infostealer.

A sophisticated new SmartLoader campaign has been uncovered, targeting the emerging world of AI agents. By poisoning the trust-based infrastructure of Model Context Protocol (MCP) servers, threat actors have found a way to turn developer-focused health-tech tools into delivery vehicles for the StealC infostealer.

This isn’t just a malware drop; it’s a long-con in supply chain poisoning.

Manufactured Credibility: The Four-Stage Heist

Unlike low-effort phishing, the SmartLoader operators invested months into building a “reputation” on GitHub. According to Straiker’s STAR Labs, the attack exploited the trust heuristics developers use when evaluating new AI tools.

The Blueprint of Deception:

1. Identity Farming: The attackers created at least five fake GitHub personas (including YuzeHao2023 and punkpeye) to fork the legitimate Oura MCP server repository.

2. The Payload Shell: A new account, SiddhiBagul, was established to host the “poisoned” version of the server containing the malicious SmartLoader code.

3. Contributor Laundering: The fake personas were added as “contributors” to the rogue repository, creating a false sense of community activity and legitimacy.

4. Marketplace Poisoning: The trojanized server was then submitted to MCP Market, a legitimate registry. Users searching for ways to connect their AI assistants to their Oura Health data found the rogue server listed alongside benign options.

   

The Payload: StealC Infostealer

Once a developer or high-value target downloads the ZIP archive and launches the server, an obfuscated Lua script executes. This drops the SmartLoader malware, which in turn deploys StealC.

StealC is a highly efficient infostealer designed to vacuum up:

• Browser Credentials: Saved passwords and cookies.

• Crypto Wallets: Direct targeting of browser-based and desktop wallet files.

• Developer Assets: The true “prize” in this campaign—API keys, cloud credentials, and access to production environments.

The AI Attack Surface

The SmartLoader campaign marks a pivotal shift in threat actor strategy. They are moving away from users looking for pirated software and moving toward developers and AI enthusiasts.

• The Trust Gap: Legitimate registries like MCP Market often lack the rigorous automated vetting found in more mature ecosystems (like the App Store), allowing “patient” threat actors to slip through.

• Targeting the Architect: Developers hold the keys to the kingdom. By infecting a developer’s machine, an attacker gains a foothold into entire corporate infrastructures and production pipelines.

• AI Tooling as a Blind Spot: Organizations are rushing to integrate AI agents (like Claude or GPT-4) with local data via MCP. This rush creates a “security vacuum” where tools are installed without formal review.

CodeAintel Insight: The Oura MCP attack proves that “credibility” can be manufactured with a few fake accounts and enough time. In the age of AI agents, your security is only as strong as the most obscure server in your registry. Verify the origin, inventory your MCPs, and never trust a contributor list at face value.