top of page
Search

GitHub Nuked 13 of 14 SmartLoader MCP Typosquats Today. The Survivor Has a 2020 Account.

  • Writer: Patrick Duggan
    Patrick Duggan
  • 18 minutes ago
  • 4 min read

And the survivor's payload is sitting in a folder named "entach."


May 4, 2026 · Patrick Duggan, DugganUSA LLC




This morning Dredd MCP — our pre-flight firewall for the Model Context Protocol ecosystem — flagged 14 GitHub repos posing as helpful MCP servers but cross-referenced against URLhaus to a malware family called SmartLoader. By 9 PM Central, GitHub had wiped 13 of them. Not just the repos. The owner accounts. Gone.


One survived: FezAreCool/mcp-claude-hackernews. The README is AI-bait copy promising a Hacker News integration for Claude Desktop. The actual payload is two zip files inside a folder named "entach."


This is what a coordinated MCP-themed slice of a much larger malware-distribution campaign looks like in 2026.



What we caught


The 14 repos all flagged as severity "high" with the same compromise family: SmartLoader. All detected May 4, 2026. All sourced via feed-urlhaus — meaning these MCPs reach raw GitHub URLs that URLhaus has tagged as malicious.


The owners:


  • beamstar/cheatengine-mcp-bridge

  • jowafanene123-cmyk/mcp-accessibility-bridge

  • boat077/mail-mcp-bridge

  • tkboys123/whatsapp-bridge-mcp

  • swit2025/context-bridge-mcp

  • betinhocapoeira/mcp-bsl-lsp-bridge

  • alyamani18/mcp-agent-bridge

  • bioeu/agentic-mcp-skill

  • yisak2468/pocketmcp

  • 19960307moon/mcpshim

  • fezarecool/mcp-claude-hackernews — survivor

  • taejina/acemcp

  • sjjsjj2554/sitecoremcp

  • arbolescontract/codex-mcp-go

The naming pattern is "credible-sounding-noun-mcp" or "mcp-credible-sounding-noun." Whatsapp, Sitecore, Hacker News, Cheat Engine, code-bsl-lsp. Every one bait-shaped to ride a hype curve.



The takedown


We detected at dawn UTC. By the evening probe, 13 of 14 owner accounts returned HTTP 404 from the GitHub API. So did their repos.


GitHub didn't just unpublish the projects. They nuked the user accounts. The velocity heuristic at github.com — newly-created accounts with zero history publishing repos that match abuse signatures — fired across the board.


Dredd MCP and GitHub Trust & Safety landed on the same answer the same day, working separately. We named them. They erased them.



The survivor


FezAreCool/mcp-claude-hackernews is the one repo Dredd flagged that GitHub did not take down.


Why?


The account was created February 28, 2020. Five-plus years of "history," even if that history is "zero followers, zero following, one repo." Velocity heuristics that scoop up accounts created Tuesday don't touch accounts created during a Trump impeachment.


Inside the repo are two files in a folder called entach:


  • hackernews_mcp_claude_v1.9.zip — 510 KB

  • mcp-claude-hackernews.zip — 1.3 MB

The repo's README is florid AI-generated copy: emojis, "User-Friendly Interface," "Customizable Settings," step-by-step "Click here to download" walkthrough that points to the Releases page where a freshly-built Windows .exe and macOS .pkg would be served. The README also lists "Topics" — a SEO smear that includes anthropic, claude, claude-desktop, mcp, mcp-server, model-context-protocol, llm, hackernews, hacker-news, hn, integration. Drafted to surface in every plausible search.


The URLs to those zip files are in our IOC index — sourced from URLhaus, attribution "feed-urlhaus." They are not benign.


This is the SmartLoader playbook: a credible front, an old enough operator account to evade velocity flags, payloads served from raw.githubusercontent.com URLs.



The campaign behind these 14


Dredd MCP found 14 SmartLoader-typosquatted MCP repos. Our IOC index has 2,411 SmartLoader URLs total — not 14, not 100, two thousand four hundred and eleven. A 200-URL sample of the broader campaign returned 143 unique operator accounts distributing payloads from raw.githubusercontent.com.


Top operators by URL count in that sample:


  • hello32423423 — 21

  • xbox360modderv3 — 14

  • GabrielW13Nai — 5

  • Administrator-hub — 4

  • evilgrou-tech — 4

  • m1-nc, tip27ice, Gabssama12 — 3 each

The 14 MCP-themed accounts are a thin slice of a campaign that is using GitHub as a malware CDN at scale. SmartLoader is shipped via raw URLs. Each operator account is a billboard. Some get scrubbed in hours. The older ones, like FezAreCool, persist longer because they evade the velocity gate.



How Dredd MCP found these


Two indexes correlated.


mcp_servers — our snapshot of the official MCP Registry, ~66,000 servers from the public ingest, refreshed daily.


iocs — 1.13M+ indicators we pull from STIX feeds, vendor blogs, ThreatFox, URLhaus, Mandiant, Unit 42, our own honeypots. SmartLoader is in there with ~2.4K URLs.


Dredd MCP's correlator joins them. For each MCP server's GitHub repository URL, it asks "is this URL or any URL under this owner's tree present in iocs as malicious?" When the answer is yes, a finding gets minted in mcp_findings, severity scored, ready to surface to clients via the pre-flight verdict tool.


That correlator runs twice a day. Today's run minted 14 high-severity findings before GitHub had ever had a chance to react.



What this means for you


If you run Claude Desktop, Cursor, Claude Code, Continue, or any MCP-aware agent: the registry is open. Anyone can list. The naming heuristic is wide open. "mcp-something-helpful" is a billboard for both real builders and supply-chain operators.


The pre-flight check is the answer. Dredd MCP renders an HMAC-signed verdict — BLOCK, ADVISORY, or ALLOW — before your agent invokes anything. It is free, read-only, and lives at analytics.dugganusa.com/api/v1/dredd/mcp on the official MCP Registry. Three lines in your client config and it watches every dependency, every tool surface, every remote URL the server tries to reach.


If you do not want to install yet: the public watchtower at analytics.dugganusa.com lists active findings in real time. Browse the findings page directly to see what's been caught today.



What this means for the campaign


GitHub Trust & Safety did the right thing today. Thirteen accounts off the platform within hours. That tempo is the only language operators understand.


The survivors are the ones with patience. Older accounts. Lower-velocity uploads. Boring-sounding names. They are the ones who go undetected longest.


We are going to keep finding them. And we are going to keep naming them on this page.


The receipts do the work.


— Patrick Duggan, DugganUSA LLC, Minneapolis · 2026-05-04




Receipts: scheduler logs, mcp_findings index, iocs index, and the GitHub API 404 sweep are all archived in our research dump. The full data set is available to STIX feed customers via the standard endpoint at analytics.dugganusa.com/api/v1/stix-feed.


95% epistemic ceiling, as always. We assume 5% of any complex assessment is wrong. The 13/14 takedown is verified by HTTP probe. The SmartLoader correlation is verified by URLhaus attribution. The "143 operator accounts" count is from a 200-URL sample — true total is higher.




How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.


bottom of page