Recent revelations have highlighted potential security vulnerabilities in Claude Code, primarily concerning the stealthy theft of OAuth tokens. These tokens, which grant extensive access rights, can be intercepted unnoticed, posing significant risks to users.
Understanding the Risks of Agentic Systems
Claude Code operates as an agentic system, offering flexibility to developers but simultaneously increasing security concerns. The central issue lies with OAuth tokens, which, if compromised, serve as a digital master key. This token enables attackers to access all connected tools, raising alarms about the system’s vulnerability to undetected intrusions.
Mitiga Labs’ Findings on Token Interception
Mitiga Labs has identified a method by which attackers can redirect data, including OAuth tokens, to their infrastructure. This redirection occurs before the data reaches its intended destination, effectively executing a man-in-the-middle attack. Such an attack allows adversaries to intercept and misuse tokens stored in the ~/.claude.json configuration file.
The attack requires specific conditions: the installation of a customized npm on a system configured with dynamic authorization MCP servers. The npm installation creates a lifecycle hook, altering default settings without user awareness.
Persistent and Undetectable Threats
Once the npm hook is in place, it manipulates the Claude Code configuration file, inserting a proxy server address. This redirection enables attackers to intercept OAuth tokens during any interaction with MCP servers. The process is seamless, appearing legitimate to end-users, even when tokens are rotated or MCP URLs are modified.
Mitiga emphasizes the importance of vigilance, advising users to monitor changes in Claude Code configurations, OAuth refresh patterns, and any unusual SaaS API activities. These measures are crucial since the attack remains invisible to users and indistinguishable from standard operations.
Anthropic’s Response and Mitigation Strategies
Mitiga reported these vulnerabilities to Claude Code’s parent company, Anthropic, who deemed the issue outside their scope. This response mirrors previous stances taken on similar disclosures, suggesting users assume potential compromise and proactively safeguard their systems.
As this issue gains attention, the cybersecurity community urges immediate action. Users are advised not to wait for official solutions but instead implement monitoring and controls to mitigate these risks. The broader implications of such vulnerabilities underscore the need for comprehensive security strategies in handling OAuth tokens and agentic systems.
