SmartLoader Group Cloned Oura Ring MCP Server with Fake Contributor Ecosystem to Deliver StealC Infostealer Targeting Developer Credentials

SmartLoader group cloned the legitimate Oura Ring MCP server and built a fake contributor ecosystem for credibility. Listed on public MCP registries, the trojanized server deployed StealC infostealer harvesting passwords, API keys, and crypto wallet data from developer environments.

Oura Ring MCP (trojanized)Credential exposureTrojanized MCP server: supply chain infostealer via registry poisoningDeveloper environments / API keys / crypto wallets

What happened

SmartLoader listed a trojanized clone of the Oura Ring MCP server on public MCP registries. The clone included StealC infostealer payload that activated on installation, harvesting developer credentials including passwords, API keys, and crypto wallet private keys.

Why it matters

Developer credentials including API keys, passwords, and crypto wallet private keys exfiltrated to SmartLoader infrastructure. Any developer who installed the trojanized server from a public MCP registry was at risk of full credential compromise.

Missing authorization check

MCP registries must verify package integrity and source authenticity before listing. Developers should verify MCP server checksums against known-good sources before installation. Installation of MCP servers should require explicit authorization.

Would PP block it?

If credential reads (password stores, API key files, wallet data) required PP receipts, StealC's exfiltration phase would face an authorization gate. Installation-level controls require registry integrity verification and package signing.

Incident analysis

Timeline and technical read

Timeline

2026-02-01
SmartLoader group publishes trojanized Oura Ring MCP server clone on public MCP registries with fabricated contributor ecosystem for credibility.
2026-02-01
Security researchers identify the malicious server. StealC infostealer payload confirmed. Server removed from public registries.

Technical breakdown

SmartLoader cloned the legitimate Oura Ring MCP server repository and modified it to include StealC infostealer payload.
Fake contributor accounts, commit history, and community activity were created to make the clone appear legitimate and actively maintained.
The trojanized server was listed on multiple public MCP registries, leveraging registry discovery mechanisms to reach developers.
StealC payload activated on installation, targeting password managers, API key files, and crypto wallet data in standard developer environment paths.

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Credential exposure. The relevant Permission Protocol gate is Tool-Call Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at: MCP server tool execution, credential file access gate
Still needs: MCP registry package verification; MCP server code signing; installer sandbox
Receipt required for: MCP server installation, access to credential files and password stores

PP's Tool-Call Gate would require receipts for credential file access triggered by the MCP server's tools. It would not prevent installation of the trojanized server — that requires registry-level verification.

Related incidents and controls

Critical2025-09-29

First Documented Malicious MCP Server: Fake postmark-mcp npm Package Silently BCC'd 3,000–15,000 Corporate Emails Per Day to Attacker Domain

Critical2026-02-05

ClawHavoc: 1,184 Malicious Skills Uploaded to OpenClaw ClawHub Marketplace Delivering Atomic Stealer Targeting API Keys, SSH Creds, and Browser Passwords

Tool-Call Gate

Start small

Put the relevant gate at this action boundary.

This incident maps to Tool-Call Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Replay this incident with a signer in the loop