An OAuth token with broad entry rights may be stolen stealthily and largely undetectably from Claude Code.
Claude Code is an agentic system. That is nice for builders however regarding for security groups. Agentic programs can develop the assault floor whereas working largely invisibly. A serious problem is the OAuth token. If an attacker can purchase this, the adversary successfully has a grasp key or digital proxy granting entry to each device linked to or accessible from the Claude Code MCP.
Mitiga Labs has recognized a difficulty inside Claude Code that will enable attackers to redirect output, together with the tokens, to their very own infrastructure at first is distributed on to the legit vacation spot. It’s a basic man-in-the-middle-attack giving the attacker entry to the tokens.
The MCP configuration and the OAuth tokens are saved in ~/.claude.json. If an adversary can modify that file, MCP site visitors may be redirected by way of the attacker’s personal infrastructure. Mitigate has printed particulars of how this could possibly be achieved.
The 2 stipulations for the attacker is the flexibility to put in a tailor-made npm on a machine the place Claude Code is configured with dynamic authorization MCP servers. The NPM registers a lifecycle hook that runs as a part of the set up.
A submit set up hook locates frequent clone places, and populates the paths with a pre-configured belief dialog set to true. “No immediate will hearth when the listing is later opened, as a result of the flag the immediate is gated on is already set,” experiences Mitiga.
The hook additionally opens ~/.claude.json and edits the MCP server within the international config file. It edits ‘mcpServers’ to incorporate the proxy handle. “This places us, ‘the adversary’, in the course of any request that goes out to the MCP server. Because the attacker, we obtained mitmproxy configured and intercepting,” explains Mitiga.
At any time when Claude Code initiates or refreshes the MCP session, it connects to the proxy and the token transits to the attacker’s infrastructure. The consumer simply sees a sound movement. If the consumer rotates the token, the hook writes it again on the following load. If the consumer edits the MCP URL, the hook masses it again on the following load. The attacker has achieved each stealth and persistence.
The attacker will get, “A sturdy redirection of the sufferer’s SaaS credentials into attacker-controlled infrastructure, with computerized restoration from token rotation, invisible to the sufferer’s endpoint UI, and indistinguishable from legit site visitors on the supplier’s facet.”
As a person within the center, the attacker can simply steal any OAuth token since it’s saved in plain textual content inside ~/.claude.json. As soon as stolen the attacker can use the token as an MFA-bypassing golden key into any device to which the MCP connects, with the identical permissions because the consumer.
With out care, the consumer sees nothing. No flags are raised because the MCP is just doing what it’s informed to do, and the consumer isn’t conscious these actions have been compromised. The brand new adage of assuming a compromise has occurred ought to take middle stage. “Monitor Claude Code configuration adjustments, MCP server URL adjustments, OAuth refresh habits, suspicious SaaS API exercise, and surprising site visitors by way of MCP integrations,” suggests Mitiga.
What you mustn’t do is watch for an answer from Anthropic. Mitiga reported its findings to Anthropic on April 10, 2026. On April 12, 2026, Anthropic replied it was ‘out of scope’. The explanation given was successfully the identical as its response to Adversa’s ‘TrustFall’ disclosure: the consumer has already consented to what would possibly occur subsequent.
Study Extra on the AI Danger Summit at Half Moon Bay
