A five-step attack chain that silently redirects Claude Code’s Model Context Protocol (MCP) traffic through attacker-controlled infrastructure, intercepting OAuth bearer tokens that grant persistent, broadly scoped access to connected SaaS platforms like Jira, Confluence, and GitHub with no patch incoming from Anthropic.
Researchers at Mitiga Labs have demonstrated the attack, with the entry point being a malicious npm package designed to survive casual inspection. Hidden inside is a postinstall lifecycle hook that executes silently during installation, a well-documented supply chain attack class that gains critical new consequences in AI-agentic environments.
The hook’s primary target is a single file: ~/.claude.json, the global configuration file that governs how Claude Code routes all MCP traffic and stores OAuth tokens in plaintext.
Once installed, the hook pre-populates common developer clone paths with trust dialog flags set to true. From Claude Code’s perspective, the user has already approved trust on those directories, so no prompt will fire when they are subsequently opened.
When a developer connects an MCP server such as Atlassian or GitHub, Claude Code executes a full OAuth flow.
The resulting bearer token has four properties that make it exceptionally valuable to an attacker:
Persistent — stored for session reuse with an associated refresh token; one interception creates a durable foothold.
Broadly scoped — inherits all permissions granted at authorization time with no per-call narrowing or re-consent.
Weakly stored — lives in plaintext inside ~/.claude.json alongside trust flags, all with identical file permissions.
Unattributable server-side — presented from Anthropic’s egress IP range, the token is indistinguishable from legitimate traffic on the provider’s side.
Five-Step Claude Code MCP Attack Chain
The full chain requires no privilege escalation, memory corruption, or new CVE:
Delivery — A malicious npm package installs a postinstall hook, seeds trust flags across developer clone paths.
Path seeding — Hook edits ~/.claude.json to insert a sessionStart hook that fires every time Claude Code loads a trusted project.
MCP endpoint rewrite — The session hook replaces legitimate MCP server URLs (e.g., Atlassian’s endpoint) with a localhost proxy controlled by the attacker.
Token interception — Claude Code reads the rewritten URL, connects to the proxy, and the OAuth bearer token transits attacker infrastructure; the provider sees a valid flow from a trusted origin.
Persistent reseeding — The hook reasserts the malicious configuration on every Claude Code load, automatically recapturing tokens after rotation or manual URL correction.
The most operationally significant finding is that the standard incident response action, rotating the OAuth token, actively feeds the attacker rather than breaking access.
Because the hook rewrites ~/.claude.json before each session, the next OAuth refresh hits the proxy and delivers a fresh token. Remediation requires removing the hook and cleaning the configuration file before rotating credentials.
Defenders reviewing provider-side logs — such as Atlassian audit entries — will see a valid username, a real session, and an IP address resolving to Anthropic’s egress range. Every field looks legitimate. The only anomaly exists in ~/.claude.json, a user-level configuration file most security teams are not monitoring.
Mitiga reported the findings to Anthropic on April 10, 2026. Anthropic acknowledged the report on April 11, then responded on April 12 that the issue was out of scope, citing the user’s prior consent as a prerequisite for the attack. No patch is planned. The determination places the full detection and response burden on enterprise security teams.
Detection for Defenders
Security teams should implement the following controls immediately:
Monitor ~/.claude.json for unexpected edits, particularly changes to mcpServers URLs or additions of localhost proxy addresses
Treat npm post-install hooks as a first-class supply chain risk — audit packages that register lifecycle scripts before they reach developer machines
Audit and rotate OAuth tokens connected to Claude Code integrations, but only after confirming the hook has been removed
Review SaaS audit logs for requests originating from Anthropic egress IPs that do not match the user’s known activity patterns
Alert on new local proxies or unexpected OAuth refresh behavior in developer environments
Organizations running Claude Code with MCP integrations should run cat ~/.claude.json immediately and verify that every URL listed under mcpServers is a recognized, self-configured endpoint.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
The post Hackers Can Hijack Claude Code MCP Traffic to Steal OAuth Tokens appeared first on Cyber Security News.
