That MCP Server on GitHub Looked Legit—It Was Malware Designed to Steal Your API Keys

What Happened

Security researchers at STAR Labs (Straiker's AI Research) have uncovered a supply chain attack that weaponizes the Model Context Protocol, the open standard that connects AI assistants like Claude, ChatGPT, and Cursor to external tools and data sources. Attackers cloned a legitimate MCP server for the Oura Ring health tracker, injected malware into the code, and submitted the trojanized version to the MCP Market registry where developers discover and install MCP integrations.

Anyone who installed the fake server got SmartLoader, a malware loader that deploys the StealC infostealer. The payload targets exactly the kind of data sitting on a developer's machine: API keys, cloud credentials, browser passwords, and cryptocurrency wallets.

How They Made It Look Real

The operation followed a deliberate playbook to manufacture credibility:

• The attackers created five fake GitHub accounts (including "YuzeHao2023," "punkpeye," "dvlan26," "halamji," and "yzhao112") that forked the legitimate Oura MCP repository
• A sixth account, "SiddhiBagul," hosted the trojanized version with the malicious payload embedded in the code
• The fake accounts were added as "contributors" to the malicious repository, giving it the appearance of an active project with multiple developers. The original author was deliberately excluded
• The trojanized server was then submitted to MCP Market, a registry where developers browse and install MCP integrations, where it appeared alongside legitimate alternatives

This is social engineering at the infrastructure level. The attackers did not exploit a vulnerability. They exploited trust: the assumption that a GitHub project with multiple contributors and a registry listing has been vetted.

What the Malware Does

When a victim launches the downloaded package, the attack unfolds in stages:

• A ZIP archive contains a legitimate Lua runtime (luajit.exe) alongside an obfuscated Lua script disguised as "module.class"
• The batch file launcher executes the Lua script through the legitimate interpreter, bypassing many security tools that whitelist known executables
• SmartLoader copies itself to %AppData% and registers persistence through Windows Task Scheduler under the name "SecurityHealthService," mimicking a real Windows service
• The loader captures system screenshots, collects system information, and transmits both to command and control servers using Base64 encoding
• StealC is deployed as the final payload, systematically extracting browser passwords, authentication tokens, and cryptocurrency wallet files

In some variants, the campaign also deploys Rhadamanthys, a separate infostealer that injects into system processes to harvest email, FTP, and banking credentials.

Why Developers Are the Target

SmartLoader campaigns previously targeted users searching for game cheats and pirated software. The shift to MCP servers represents a calculated upgrade in victim value. A typical developer workstation contains:

• API keys for cloud services like AWS, GCP, and Azure
• SSH keys and access tokens for production infrastructure
• OAuth tokens and session cookies for internal tools
• Cryptocurrency wallet files and seed phrases
• Source code and intellectual property

A single compromised developer machine can provide access to an entire organization's infrastructure. The MCP ecosystem, still young and growing rapidly, presents an ideal attack surface because developers are actively seeking new integrations and the vetting process for MCP registries is minimal.

How to Protect Yourself

The MCP ecosystem does not yet have the security controls that more mature package registries like npm or PyPI have developed over years of supply chain attacks. Until it does:

• Verify the source of any MCP server before installing. Check that the GitHub repository matches the original author and has genuine commit history, not just forks and fake contributors
• Audit MCP server code before running it. Look for obfuscated scripts, unexpected binary downloads, or persistence mechanisms
• Keep an inventory of every MCP server installed on your development machines and review them periodically
• Monitor for suspicious outbound traffic from development environments, especially to unfamiliar IP addresses
• Store API keys and credentials in dedicated secret managers rather than in environment files or browser password stores where infostealers can easily reach them
• Use hardware security keys for critical infrastructure access so that stolen passwords alone are not enough to compromise production systems

The broader lesson is familiar from npm, PyPI, and the Chrome Web Store: any open ecosystem where anyone can publish becomes a target for supply chain attacks. MCP is the newest addition to that list.