Mitiga Demonstrates Claude Code MCP Hijack Steals OAuth Tokens
Mitiga Labs demonstrated a five-step man-in-the-middle attack that can redirect Claude Code Model Context Protocol (MCP) traffic and steal OAuth bearer tokens, SecurityWeek reports. Per Mitiga, the attack requires an attacker-capable npm package that registers a lifecycle hook, which writes a preapproved trust flag and edits the MCP config in ~/.claude.json to add a proxy address to mcpServers. When Claude Code refreshes or initiates MCP sessions, the flow goes through the attacker proxy and the OAuth token transits to attacker infrastructure; Mitiga reports the hook can persist tokens through rotation and revert manual MCP-URL edits. High-value tokens can grant access to connected SaaS platforms such as Jira, Confluence, and GitHub, SecurityWeek says.
What happened
Mitiga Labs disclosed a five-step attack chain that can hijack Claude Code MCP traffic and exfiltrate OAuth bearer tokens, according to reporting by SecurityWeek. Per Mitiga's writeup, the attacker installs a tailored npm package on a host where Claude Code is configured with dynamic authorization MCP servers, and the package registers a lifecycle hook that runs at install time. The hook sets a preconfigured trust flag, edits ~/.claude.json, and appends an attacker-controlled proxy to the mcpServers configuration. SecurityWeek reports that, when Claude Code initiates or refreshes an MCP session, the client connects through the proxy and the token transits to attacker infrastructure. Mitiga also demonstrates persistence: the hook can rewrite rotated tokens and restore the proxy entry if a user edits it.
Technical details
Per Mitiga's analysis as described by SecurityWeek, the prerequisites for the chain are the ability to execute an installer with an npm lifecycle hook on a target machine and write access to the user's home config. The attack leverages local config modification rather than a network exploit; Mitiga used mitmproxy in their tests to intercept token-bearing traffic. The OAuth credentials and MCP configuration are stored in ~/.claude.json, which is the modification target in the demonstration.
Editorial analysis
Industry context: Agentic developer tools that orchestrate external integrations enlarge the local attack surface because they store persistent credentials and make outbound requests to multiple services. Supply-chain mechanisms such as malicious npm packages and install hooks have been recurring vectors for post-install persistence and config tampering in developer environments.
For practitioners
Observers should treat locally stored automation credentials as high-value secrets, and consider hardening the developer host and package vetting processes. Runtime safeguards that detect unexpected MCP endpoints, or integrity checks on ~/.claude.json, would reduce the attractiveness of a config-edit vector. Monitoring for unusual outbound proxy connections from developer tools can also surface similar abuse.
What to watch
Indicators include unexpected npm lifecycle activity on developer machines, unauthorized edits to ~/.claude.json, and MCP traffic routed through nonstandard proxies. Public updates from Mitiga or from Claude Code maintainers would confirm remediation steps; as of the cited reporting, Mitiga's writeup and SecurityWeek's article describe the exploit chain and persistence mechanics.
Scoring Rationale
This is a notable security finding for developer-facing agentic tools because stolen OAuth bearer tokens can grant broad access to SaaS. The attack involves common supply-chain vectors (malicious npm hooks), making it relevant to practitioners. The story is not brand-new, reducing immediacy.
Practice interview problems based on real data
1,500+ SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
