Mitiga Finds MCP Hijack Enables OAuth Token Theft

Reporting by ITSecurityNews, which indexes SecurityWeek, cites Mitiga researchers who say attackers can silently redirect Claude Code MCP traffic, intercept OAuth tokens, and maintain persistent access to connected SaaS platforms. The ITSecurityNews item attributes the core finding to Mitiga; the original Mitiga report is referenced in that coverage.

OriginHQ published a technical writeup that traced a named pipe on Windows, named claude-mcp-browser-bridge-{USERNAME}, to a local native host chrome-native-host.exe in Claude's AppData directory and found the pipe accepts up to five concurrent clients and performs no client authentication, according to Origin's post. The Origin writeup shows the native host forwards MCP tool requests between local MCP clients and the browser extension, and that the pipe is discoverable by name and accessible per Windows ACLs described in the post.

A dev.to post documents how the claude CLI stores a refresh credential at ~/.claude/.credentials.json, supports headless operation, and auto-refreshes tokens during a session. The dev.to author demonstrates that a local process with file or IPC access can reuse those credentials to invoke Claude functionality without a web login. A Cognee blog post about alternative CLI integrations further illustrates the common pattern of agent sessions caching credentials in a local file during a session, citing a resolved.json cache in that implementation.

Editorial analysis: These separate reports map onto a classic local token-exfiltration pattern: an unauthenticated local IPC bridge plus locally cached refresh tokens creates an adversary-in-the-middle opportunity when an attacker has code execution or local access. Security writeups from Origin and dev.to provide the mechanistic details that Mitiga highlights at a research level, while Cognee and Aembit coverage frame the broader MCP and CLI auth tradeoffs that make passthrough and local caching frequent targets.

Editorial analysis: For practitioners, this is notable because it highlights how agent frameworks and local developer tooling blur traditional trust boundaries between browser extensions, native hosts, and CLI tools. Local compromise or a malicious local process can lead to cloud token theft even when remote endpoints implement standard OAuth controls, because refresh tokens and native host bridges can be replayed or proxied by a local adversary. Public-facing mitigations and detection skills, such as the OAuth Token Theft Detection skill listed on MCP Market, focus on identity protection, token revocation, and endpoint telemetry, which aligns with the technical attack surface described in the posts.

• •Indicators of compromise on endpoints hosting MCP clients: unexpected named pipes or additional processes connecting to chrome-native-host.exe, as documented by Origin.
• •Presence of locally cached credentials or file permissions that expose ~/.claude/.credentials.json or equivalent caches, as demonstrated in the dev.to writeup and Cognee examples.
• •Uptake of detection or mitigation tooling that enforces token protection, Continuous Access Evaluation, or real-time session revocation; MCP Market and Aembit commentary list these as defensive options.