Mitiga Demonstrates Claude Code MCP Hijack Steals OAuth Tokens
Mitiga Labs demonstrated a five-step man-in-the-middle attack that can redirect Claude Code Model Context Protocol (MCP) traffic and steal OAuth bearer tokens, as reported by SecurityWeek, CSO Online, and other outlets. Per Mitiga, the chain begins with a malicious npm package whose post-install lifecycle hook silently edits Claude Code's global config at ~/.claude.json, where OAuth tokens are stored in plaintext; the hook sets a preapproved trust flag and adds an attacker-controlled proxy to mcpServers. When Claude Code initiates or refreshes an MCP session, traffic routes through the proxy and the token transits to attacker infrastructure, and the hook can survive token rotation and revert manual config edits. Stolen tokens can grant access to connected SaaS such as Jira, Confluence, and GitHub. Crucially, the attack presupposes the victim already ran the malicious package: Mitiga says it disclosed the issue to Anthropic in April 2026, and Anthropic deemed it out of scope, citing the required prior user consent, with no patch planned.
What happened
Mitiga Labs disclosed a five-step attack chain that can hijack Claude Code MCP traffic and exfiltrate OAuth bearer tokens, according to reporting by SecurityWeek, CSO Online, and eSecurity Planet. Per Mitiga's writeup, the attacker gets a tailored npm package onto a host where Claude Code is configured with dynamic-authorization MCP servers; the package registers a post-install lifecycle hook that runs at install time, sets a preconfigured trust flag, edits ~/.claude.json, and appends an attacker-controlled proxy to the mcpServers configuration. When Claude Code initiates or refreshes an MCP session, the client connects through the proxy and the token transits to attacker infrastructure. Mitiga also demonstrates persistence: the hook can rewrite rotated tokens and restore the proxy entry if a user edits it. Mitiga reports it disclosed the findings to Anthropic on April 10, 2026; Anthropic acknowledged the report on April 11 and on April 12 classified it as out of scope, citing the prior user consent the chain requires, and no patch is planned.
Technical details
Per Mitiga's analysis as described by SecurityWeek and CSO Online, the prerequisites are the ability to execute an installer with an npm lifecycle hook on a target machine and write access to the user's home config, meaning the chain presupposes prior local code execution rather than a remote network exploit. The OAuth credentials, MCP configuration, and the flags governing whether Claude Code prompts before running commands are stored in plaintext in ~/.claude.json, which is the modification target. Mitiga reports it used mitmproxy in its tests to intercept token-bearing traffic, and notes the abuse can blend into provider-side logs because it rides legitimate OAuth flows.
Editorial analysis
Industry context
Agentic developer tools that orchestrate external integrations enlarge the local attack surface because they store persistent, broadly scoped credentials and make outbound requests to multiple services. Supply-chain mechanisms such as malicious npm packages and install hooks have been recurring vectors for post-install persistence and config tampering in developer environments, and plaintext credential storage raises the value of any local compromise.
For practitioners
Reported mitigations include monitoring ~/.claude.json for unexpected edits, especially changes to mcpServers URLs or added localhost proxy addresses; treating npm post-install hooks as a first-class supply-chain risk in package vetting; rotating OAuth tokens connected to Claude Code integrations after confirming any malicious hook is removed; and reviewing SaaS audit logs for requests from Anthropic egress IPs that do not match a user's known activity. Runtime safeguards that detect unexpected MCP endpoints or integrity checks on the config file would reduce the attractiveness of a config-edit vector.
What to watch
Indicators include unexpected npm lifecycle activity on developer machines, unauthorized edits to ~/.claude.json, and MCP traffic routed through nonstandard proxies. Because Anthropic has classified the issue as out of scope with no planned patch, watch for community or maintainer hardening such as config integrity checks or encrypted token storage, and for any updated guidance from Mitiga or Claude Code maintainers on detection and response.
Key Points
- 1Mitiga Labs demonstrated a five-step MCP hijack that exfiltrates OAuth tokens from Claude Code by editing the local ~/.claude.json config, where tokens are stored in plaintext.
- 2The chain relies on a malicious npm post-install hook adding an attacker proxy to mcpServers, enabling token theft that persists across rotation, so it presupposes prior local code execution.
- 3Anthropic deemed the issue out of scope with no patch planned given the required user consent, so practitioners must self-mitigate through config-integrity monitoring, npm-hook vetting, and SaaS log review.
Scoring Rationale
A well-covered security finding for a widely used agentic developer tool: broadly scoped OAuth tokens stored in plaintext in ~/.claude.json can, if stolen, grant access to connected SaaS such as Jira, Confluence, and GitHub. Severity is bounded because the chain presupposes prior local code execution via a malicious npm install hook, and Anthropic classified it as out of scope with no patch planned, so the practitioner value is in detection and self-mitigation rather than a vendor fix.
Sources
Public references used for this report.
Practice interview problems based on real data
1,625 SQL & Python problems across 15 industry datasets — the exact type of data you work with.
Try 250 free problems
