Security researchers have discovered a sophisticated method for intercepting OAuth tokens through Claude Code’s Model Context Protocol (MCP). The attack involves redirecting MCP traffic via a malicious npm package, giving attackers persistent access to SaaS platforms like Jira and GitHub. Despite the severity, no patch has been announced by Anthropic.
Understanding the Attack Mechanism
Researchers from Mitiga Labs demonstrated the attack, which begins with a deceptive npm package. This package includes a postinstall hook that executes silently, a common tactic in supply chain attacks, but with new implications in AI environments. The hook targets the ~/.claude.json file, managing Claude Code’s MCP traffic and storing OAuth tokens in plaintext.
After installation, the hook sets trust flags across common developer directories, avoiding prompts for user approval. When a developer connects an MCP server, such as GitHub, the program completes the OAuth process, unwittingly handing over tokens to the attacker.
Exploiting OAuth Tokens
The captured OAuth tokens have characteristics that make them valuable to attackers. They are persistent, allowing reuse with a refresh token, and broadly scoped, inheriting all permissions granted during authorization. Stored in plaintext, they are vulnerable to theft, while their use from Anthropic’s IP range makes them indistinguishable from legitimate traffic.
The attack chain involves several steps, starting with the malicious npm package installation, which seeds trust flags and alters the ~/.claude.json file. This alteration redirects MCP endpoints to an attacker-controlled proxy, capturing tokens during the OAuth process. The configuration is persistently reseeded, maintaining the attack even after token rotation.
Defense and Mitigation Strategies
Security teams face challenges in detecting this attack, as standard response actions, like token rotation, inadvertently assist attackers. To combat this, teams should monitor ~/.claude.json for unauthorized changes and audit npm packages for risky scripts. Tokens should be rotated only after confirming the removal of malicious hooks.
Mitiga Labs reported the findings to Anthropic, who acknowledged the issue but deemed it out of scope, placing the onus of detection on security teams. Therefore, proactive monitoring of SaaS audit logs and unexpected local proxy behavior is crucial. Security teams should verify the legitimacy of MCP server URLs in their Claude Code configurations immediately.
For ongoing protection, organizations are urged to treat npm post-install hooks as significant supply chain risks and to regularly audit and rotate OAuth tokens connected to Claude Code integrations. This vigilance is key to preventing unauthorized access and safeguarding sensitive data.
