Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP Hijacking

Summary

Mitiga Labs identified a stealthy man-in-the-middle attack against Claude Code that allows attackers to intercept and steal OAuth tokens by hijacking MCP (Model Context Protocol) traffic through malicious npm lifecycle hooks. The attack persists invisibly, automatically recovers from token rotation, and grants attackers full access to connected SaaS platforms. Anthropic dismissed the disclosure as "out of scope" on April 12, 2026, citing user consent.

Full text

An OAuth token with wide access rights can be stolen stealthily and largely undetectably from Claude Code. Claude Code is an agentic system. This is great for developers but concerning for security teams. Agentic systems can expand the attack surface while operating largely invisibly. A major issue is the OAuth token. If an attacker can acquire this, the adversary effectively has a master key or digital proxy granting access to every tool connected to or accessible from the Claude Code MCP. Mitiga Labs has identified an issue within Claude Code that would allow attackers to redirect output, including the tokens, to their own infrastructure before everything is sent on to the legitimate destination. It’s a classic man-in-the-middle-attack giving the attacker access to the tokens. The MCP configuration and the OAuth tokens are stored in ~/.claude.json. If an adversary can modify that file, MCP traffic can be redirected through the attacker’s own infrastructure. Mitigate has published details of how this could be achieved. The two prerequisites for the attacker is the ability to install a tailored npm on a machine where Claude Code is configured with dynamic authorization MCP servers. The NPM registers a lifecycle hook that runs as part of the install. A post installation hook locates common clone locations, and populates the paths with a pre-configured trust dialog set to true. “No prompt will fire when the directory is later opened, because the flag the prompt is gated on is already set,” reports Mitiga.Advertisement. Scroll to continue reading. The hook also opens ~/.claude.json and edits the MCP server in the global config file. It edits ‘mcpServers’ to include the proxy address. “This puts us, ‘the adversary’, in the middle of any request that goes out to the MCP server. As the attacker, we got mitmproxy configured and intercepting,” explains Mitiga. Whenever Claude Code initiates or refreshes the MCP session, it connects to the proxy and the token transits to the attacker’s infrastructure. The user just sees a valid flow. If the user rotates the token, the hook writes it back on the next load. If the user edits the MCP URL, the hook loads it back on the next load. The attacker has achieved both stealth and persistence. The attacker gets, “A durable redirection of the victim’s SaaS credentials into attacker-controlled infrastructure, with automatic recovery from token rotation, invisible to the victim’s endpoint UI, and indistinguishable from legitimate traffic on the provider’s side.” As a man in the middle, the attacker can easily steal any OAuth token since it is stored in plain text within ~/.claude.json. Once stolen the attacker can use the token as an MFA-bypassing golden key into any tool to which the MCP connects, with the same permissions as the user. Without care, the user sees nothing. No flags are raised since the MCP is simply doing what it is told to do, and the user isn’t aware these actions have been compromised. The new adage of assuming a compromise has happened should take center stage. “Monitor Claude Code configuration changes, MCP server URL changes, OAuth refresh behavior, suspicious SaaS API activity, and unexpected traffic through MCP integrations,” suggests Mitiga. What you mustn’t do is wait for a solution from Anthropic. Mitiga reported its findings to Anthropic on April 10, 2026. On April 12, 2026, Anthropic replied it was ‘out of scope’. The reason given was effectively the same as its response to Adversa’s ‘TrustFall’ disclosure: the user has already consented to what might happen next. Learn More at the AI Risk Summit at Half Moon Bay Related: AI Coding Agents Could Fuel Next Supply Chain Crisis Related: Google OAuth Flaw Leads to Account Takeover When Domain Ownership Changes Related: Millions of Websites Susceptible to XSS Attack via OAuth Implementation Flaw Related: More Cybersecurity Firms Hit by Salesforce-Salesloft Drift Breach Related: Shadow AI Risk: How SaaS Apps Are Quietly Enabling Massive Breaches Written By Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. More from Kevin Townsend Hacker Conversations: Joey Melo on Hacking AIAnthropic Unveils Claude Security to Counter AI-Powered Exploit SurgeAI Fuels ‘Industrial’ Cybercrime as Time-to-Exploit Shrinks to HoursCyber Insurance Data Gives CISOs New Ammo for Budget TalksSevii Launches Cyber Swarm Defense to Make Agentic AI Security Costs PredictableThe Behavioral Shift: Why Trusted Relationships Are the Newest Attack SurfaceAre SBOMs Failing? Supply Chain Attacks Rise as Security Teams Struggle With SBOM DataCoChat Launches AI Collaboration Platform to Combat Shadow AI Latest News Palo Alto Zero-Day Exploited in Campaign Bearing Hallmarks of Chinese State HackingBoost Security Raises $4 Million for SDLC Defense PlatformChrome 148 Rolls Out With 127 Security FixesAttackers Could Exploit AI Vision Models Using Imperceptible Image ChangesVendor Says Daemon Tools Supply Chain Attack ContainedAI Coding Agents Could Fuel Next Supply Chain CrisisWebinar Today: Securing Identity Across Humans, Machines and AICisco Patches High-Severity Vulnerabilities in Enterprise Products Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: ROSI for CPS Security Programs May 13, 2026 In cyber-physical systems (CPS), just one hour of downtime can outweigh an entire annual security budget. Learn how to master the Return on Security Investment (ROSI) to align security goals with the bottom-line priorities. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the MoveSumo Logic has named Jeremy Powell as CISO and Ben Cody as SVP of Product Management.Bitdefender has appointed Frank Koelmel as Chief Revenue Officer of Business Solutions Group.John Hernandez has joined BlueVoyant as Chief Executive Officer.More People On The MoveExpert Insights The Mythos Moment: Enterprises Must Fight Agents with Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Why Cybersecurity Must Rethink Defense in the Age of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• malware — Claude Code MCP hijacking via npm lifecycle hook

Entities