Hackers Can Hijack Claude Code MCP Traffic to Steal OAuth Tokens — No Patch Coming

Security researchers at Mitiga Labs have demonstrated a five-step attack chain that silently hijacks Claude Code’s Model Context Protocol (MCP) traffic, intercepting OAuth bearer tokens that grant persistent access to enterprise SaaS platforms including Jira, Confluence, and GitHub. Anthropic has declined to issue a patch, citing user consent as a prerequisite for the attack.

The entry point is a malicious npm package engineered to survive casual code review. Hidden inside is a postinstall lifecycle hook that executes automatically during installation — a well-documented supply chain attack class that gains particularly severe consequences in AI-agentic environments.

The Attack Begins at npm Install

The hook’s primary target is a single file: ~/.claude.json, the global configuration file that governs how Claude Code routes all MCP traffic and stores OAuth tokens — in plaintext. Once installed, the hook pre-populates common developer clone paths with trust dialog flags set to true. From Claude Code’s perspective, the user has already approved those directories, so no trust prompt fires when they are subsequently opened.

Five-Step Attack Chain

The full chain requires no privilege escalation, memory corruption, or new CVE:

• Delivery — A malicious npm package installs a postinstall hook, seeding trust flags across developer clone paths in ~/.claude.json
• Path seeding — The hook inserts a sessionStart hook that fires every time Claude Code loads a trusted project
• MCP endpoint rewrite — The session hook replaces legitimate MCP server URLs (e.g., Atlassian’s endpoint) with a localhost proxy controlled by the attacker
• Token interception — Claude Code reads the rewritten URL, connects to the proxy, and the OAuth bearer token transits attacker infrastructure; the provider sees a valid flow from a trusted origin
• Persistent reseeding — The hook reasserts the malicious configuration on every Claude Code load, automatically recapturing tokens after rotation or correction

Why Rotating Your Token Makes Things Worse

The most operationally dangerous aspect of this attack is its resilience to the standard incident response action. Because the hook rewrites ~/.claude.json before each session, the next OAuth refresh hits the attacker’s proxy and delivers a fresh token. Rotating credentials without first removing the hook and cleaning the configuration file actively feeds the attacker rather than breaking access.

Why It’s Nearly Invisible in Audit Logs

The stolen token has four properties that make detection extremely difficult:

• Persistent — stored for session reuse with an associated refresh token; one interception creates a durable foothold
• Broadly scoped — inherits all permissions granted at authorization time with no per-call narrowing
• Weakly stored — lives in plaintext inside ~/.claude.json
• Unattributable server-side — presented from Anthropic’s egress IP range, making it indistinguishable from legitimate traffic

Defenders reviewing Atlassian or GitHub audit logs will see a valid username, a real session, and an IP resolving to Anthropic’s egress range. The only anomaly exists in ~/.claude.json — a user-level configuration file most enterprise security teams are not monitoring.

No Patch Incoming From Anthropic

Mitiga reported the findings to Anthropic on April 10, 2026. Anthropic acknowledged the report on April 11 and responded on April 12 that the issue was out of scope, citing user consent as a prerequisite for the attack. No patch is planned, placing the full detection and response burden on enterprise security teams.

What Security Teams Should Do Now

• Audit ~/.claude.json immediately — verify every URL under mcpServers is a recognized, self-configured endpoint; look for localhost proxy addresses
• Monitor ~/.claude.json for unexpected edits — particularly changes to MCP server URLs or additions of trust flags
• Treat npm post-install hooks as a first-class supply chain risk — audit packages that register lifecycle scripts before they reach developer machines
• Rotate OAuth tokens only after removing the hook — rotating credentials without cleaning the configuration will not help
• Alert on new local proxies or unexpected OAuth refresh behavior in developer environments

Organizations running Claude Code with MCP integrations should run cat ~/.claude.json immediately and verify that every URL listed under mcpServers is a recognized, self-configured endpoint. The research underscores a growing pattern: as AI coding tools gain deep access to developer infrastructure, they become high-value targets for supply chain attackers.