Skip to content
Threat Feed
critical advisory

Claude Code OAuth Token Theft via MCP Hijacking

Attackers can silently redirect Claude Code MCP traffic to intercept OAuth tokens, enabling persistent access to connected SaaS platforms by modifying the ~/.claude.json file in a man-in-the-middle attack.

Mitiga researchers identified a vulnerability in Claude Code, an agentic system used by developers, that allows for the silent redirection of MCP (Management Control Plane) traffic. By exploiting this flaw, attackers can intercept OAuth tokens, effectively gaining a master key to all tools connected to the Claude Code MCP. The attack involves a man-in-the-middle technique where traffic is redirected through attacker-controlled infrastructure. This gives the attacker access to sensitive tokens stored in plain text within the ~/.claude.json configuration file. The vulnerability was reported to Anthropic on April 10, 2026, but was deemed ‘out of scope’ by the vendor.

Attack Chain

  1. The attacker gains initial access to a machine with Claude Code configured and dynamic authorization MCP servers.
  2. The attacker installs a tailored npm package containing malicious code.
  3. The malicious npm registers a lifecycle hook that runs as part of the installation process.
  4. The post-installation hook locates common clone locations and populates the paths with a pre-configured trust dialog set to ’true’, preventing future prompts.
  5. The hook opens the ~/.claude.json file and modifies the ‘mcpServers’ entry to include the attacker’s proxy address.
  6. Claude Code connects to the attacker’s proxy when initiating or refreshing the MCP session, routing the OAuth token through the attacker’s infrastructure.
  7. The attacker intercepts the OAuth token, which is transmitted in plain text.
  8. The attacker uses the stolen OAuth token to access connected SaaS platforms with the same permissions as the user, bypassing MFA.

Impact

A successful attack allows adversaries to steal OAuth tokens from Claude Code, granting them a “golden key” to access any tool connected to the MCP. The attacker achieves durable redirection of SaaS credentials into attacker-controlled infrastructure, invisible to the user and indistinguishable from legitimate traffic. This allows the attacker to bypass MFA and gain unauthorized access to sensitive data within connected SaaS applications.

Recommendation

  • Monitor Claude Code configuration files, specifically the ~/.claude.json file, for unauthorized modifications using file integrity monitoring rules.
  • Implement a Sigma rule to detect the execution of suspicious npm packages installing lifecycle hooks that modify MCP server URLs in the configuration file.
  • Monitor network connections originating from Claude Code processes for connections to unusual or external proxy addresses via a network connection monitoring rule.

Detection coverage 3

Detect Claude Code Configuration File Modification

high

Detects modification of the ~/.claude.json file, which can indicate malicious attempts to redirect MCP traffic.

sigma tactics: credential_access, persistence techniques: T1550.001 sources: file_event, linux

Detect Suspicious NPM Package Installation with Lifecycle Hooks

medium

Detects the installation of NPM packages that register lifecycle hooks, potentially used to modify Claude Code settings.

sigma tactics: initial_access techniques: T1608 sources: process_creation, linux

Detect Outbound Connections from Claude Code to Unusual Ports

medium

Detects unusual outbound network connections from Claude Code processes, potentially indicating MCP traffic redirection.

sigma tactics: command_and_control techniques: T1071.001 sources: network_connection, linux

Detection queries are available on the platform. Get full rules →