Cybersecurity researchers have discovered a vulnerability in Anthropic’s Claude Code that could allow attackers to silently steal OAuth tokens by hijacking MCP (Model Context Protocol) traffic. The issue was identified by researchers at Mitiga Labs, who warned that attackers could gain persistent access to connected SaaS platforms and developer tools through a stealthy man-in-the-middle attack.
According to the researchers, the attack targets the ~/.claude.json configuration file used by Claude Code. By modifying this file, attackers can redirect MCP traffic through attacker-controlled infrastructure without the user noticing. Since OAuth tokens used for integrations are stored in plaintext inside the same configuration file, attackers can intercept and reuse them to access services connected to Claude Code.
The report explained that the attack begins with a malicious npm package that contains hidden post-install scripts. Once installed on a developer’s machine, the package automatically edits Claude Code configurations, pre-approves trusted directories, and inserts malicious hooks that reroute MCP server traffic through a proxy controlled by the attacker. This enables the interception of OAuth bearer tokens during authentication and token refresh operations.
Researchers noted that the stolen OAuth tokens could provide broad and long-lasting access to services such as Jira, Confluence, GitHub, databases, and internal enterprise systems connected through MCP integrations. Because the requests continue to appear as legitimate traffic originating from Anthropic’s infrastructure, detecting the compromise becomes extremely difficult for organizations.
Mitiga Labs also warned that simply rotating compromised tokens may not fully solve the issue. The malicious hooks reportedly continue rewriting the MCP configuration files every time Claude Code loads, allowing attackers to capture newly refreshed tokens repeatedly and maintain persistence on the system.
The vulnerability was reportedly disclosed to Anthropic in April 2026. According to the researchers, Anthropic classified the issue as “out-of-scope” because the attack requires prior code execution on the victim’s machine through a malicious package installation. However, security experts argue that the attack chain demonstrates how AI coding assistants and connected SaaS ecosystems can significantly expand enterprise attack surfaces.
Security researchers advised organizations using Claude Code to monitor changes to ~/.claude.json, track new MCP endpoints or unexpected localhost proxy connections, and review unusual SaaS activity tied to AI workflows. They also recommended auditing installed npm packages and closely monitoring OAuth token usage patterns to reduce the risk of compromise.
