cybersecurity researchers have identified a new campaign distributing the SmartLoader malware, which uses a trojanized version of a legitimate Model Context Protocol server from Oura Health to deploy the StealC information stealer. The campaign, active as of early 2025, targets users globally by compromising a tool designed to connect AI assistants to health data from Oura Ring devices. This incident highlights a growing trend of attackers weaponizing legitimate software development tools and health tech platforms to breach systems and steal sensitive information.
Attack Methodology and Technical Details
According to security analysts, the threat actors cloned the official Oura MCP Server repository. They then modified the code to include the SmartLoader malware, a known downloader used to deploy secondary payloads. This trojanized version was distributed through deceptive means, potentially via fake software updates or compromised development channels.
When executed, the malicious server installs the SmartLoader component, which subsequently fetches and executes the StealC infostealer. StealC is a sophisticated malware designed to harvest a wide range of data from infected machines. Its capabilities include logging keystrokes, capturing screenshots, stealing cookies, browser histories, and cryptocurrency wallet information, and exfiltrating files from specific directories.
The Role of MCP Servers in the Ecosystem
The Model Context Protocol is an open standard that enables AI applications and large language models to connect to external data sources and tools. An MCP server acts as a bridge, providing structured access to databases, APIs, or, in this case, personal health data from wearable devices like the Oura Ring. The legitimate Oura MCP Server allows developers to build AI assistants that can analyze sleep, activity, and readiness scores with user permission.
The compromise of such a tool is significant because it exploits trust in a legitimate development resource. Developers seeking to integrate Oura data may inadvertently download and run the malicious version, leading to a security breach on their local systems and potentially exposing any data or credentials their AI applications can access.
Broader Implications for Software Supply Chain Security
This campaign is part of a concerning pattern in cyber threats, often referred to as a software supply chain attack. Instead of attacking an end-user directly, adversaries infiltrate a component or tool that developers use. Every application or project that then incorporates that compromised component becomes vulnerable.
The use of a health-tech platform’s tool adds another layer of risk, as it intersects with the highly sensitive category of personal health information. While there is no indication that Oura’s own servers or user data were breached, the incident serves as a stark reminder of the security challenges in interconnected development environments where data from various sources is aggregated.
Security firms recommend that developers verify the integrity of open-source repositories and tools through checksums and digital signatures before use. Organizations are also advised to implement strict security policies for software downloaded from external sources and to monitor networks for unusual data exfiltration attempts.
Response and Next Steps
Upon discovery, cybersecurity researchers reported the malicious repository to the hosting platform for takedown. Oura Health has been notified of the incident involving the misuse of its tool’s name and codebase. The company is expected to issue formal guidance to its developer community, reinforcing the official sources for its MCP server and warning of the imposter version.
In the coming weeks, security vendors are likely to update their detection signatures to identify the specific variants of SmartLoader and StealC used in this campaign. Further analysis by the cybersecurity community may reveal additional distribution methods or related infrastructure used by the threat actors, potentially leading to more comprehensive defensive measures.
Source: Cybersecurity Research Reports
