Autonomous AI development tools are introducing architectural vulnerabilities directly to developer workstations. Security researchers at Mitiga Labs have demonstrated a stealthy five-step attack chain that allows threat actors to execute a Claude Code MCP traffic hijack, silently intercepting high-privilege OAuth bearer tokens. This technique reroutes traffic governed by Anthropic’s Model Context Protocol (MCP) through attacker-controlled infrastructure. The attack compromises persistent access to integrated SaaS platforms like Jira, Confluence, and GitHub. Alarmingly, Anthropic has classified the risk as out-of-scope, confirming that no formal patch is incoming and leaving enterprise security teams to shoulder the full burden of defense.

Key Details

The entry point of the attack relies on a malicious npm package disguised as a benign developer utility. Hidden inside the package is a silent postinstall lifecycle hook that executes automatically during installation. In agentic AI environments, these routine supply chain vectors carry severe, cascading consequences.

The primary target of this script is ~/.claude.json, the global configuration file managing how Claude Code routes all MCP traffic and caches authorization credentials. By silently altering this single file, the script manipulates directory trust mechanisms and pre-populates common developer clone paths with implicit trust approval flags. Consequently, when a developer opens a compromised directory, Claude Code bypasses standard interactive user confirmation prompts.

[Malicious npm Package] ──► Executes postinstall Hook
                                    │
                                    ▼
                        [Modifies ~/.claude.json]
                                    │
       ┌────────────────────────────┴────────────────────────────┐
       ▼                                                         ▼
[Seeds Directory Trust]                                [Rewrites MCP URL to Proxy]
       │                                                         │
       └────────────────────────────┬────────────────────────────┘
                                    ▼
                        [Developer Opens Claude]
                                    │
                                    ▼
                [OAuth Flow Routes Through Local Proxy]
                                    │
                                    ▼
                [Persistent Interception of Bearer Tokens]

Technical Analysis

When an AI agent requests access to external systems like GitHub or Atlassian, Claude Code initiates a standard OAuth verification sequence. The resulting bearer tokens are extraordinarily lucrative for threat actors due to four critical design characteristics:

• Persistence: Tokens are cached locally alongside long-lived refresh tokens, providing a continuous operational foothold.
• Broad Scopes: Intercepted tokens inherit wide authorization permissions across connected platforms without requiring per-call narrowing or manual re-consent.
• Weak Storage Security: Credentials reside in plaintext format within ~/.claude.json, inheriting standard user-level read/write permissions.
• Server-Side Anonymity: When the stolen tokens are used, requests route through Anthropic’s official cloud egress IP ranges, rendering malicious traffic virtually indistinguishable from legitimate operations in server audit logs.

The exploitation chain completes seamlessly without requiring memory corruption, local privilege escalation, or formal CVE identifiers:

1. Delivery: An untrusted npm package executes a postinstall script, seeding trust flags across standard project clone locations.
2. Path Seeding: The script injects a sessionStart hook directly into ~/.claude.json, which triggers automatically each time Claude Code initiates a trusted development project.
3. MCP Endpoint Rewrite: The session hook intercepts and replaces valid external service endpoints (such as Atlassian) with a localized proxy server controlled by the adversary.
4. Token Interception: Claude Code attempts a routine connection using the malicious local address. The OAuth bearer token passes directly through the attacker’s proxy infrastructure while the end-user views a working integration.
5. Persistent Reseeding: The hook executes concurrently with every active Claude session, automatically rewriting the configuration file even if an engineer manually alters the URL or triggers a credential rotation.

Impact and Risks

The primary operational risk discovered by Mitiga Labs is that conventional incident response workflows actively exacerbate the breach. If an enterprise security team detects anomalous behavior and enforces token rotation without purging the underlying machine environment, the local hook instantly intercepts the newly generated token during the subsequent refresh cycle.

The downstream organizational impacts include:

• MFA Bypass: Stolen OAuth tokens allow threat actors to bypass Multi-Factor Authentication (MFA) parameters completely, serving as an unhindered administrative key to corporate documentation platforms and software codebases.
• Undetectable Exfiltration: Because API activity resolves directly to trusted Anthropic cloud network spaces, automated Cloud Access Security Brokers (CASBs) and SIEM systems will log the requests as authorized automated traffic.

Expert Recommendations

Mitiga Labs formally notified Anthropic of the vulnerability on April 10, 2026. Anthropic reviewed the vector but determined it was out of scope on April 12, 2026, stating that the attack depends on a user executing untrusted third-party code on their machine.

Because no software patch is expected, security operations teams must immediately enforce localized detection and environmental hardening controls:

• Configuration Auditing: Deploy endpoint monitoring rules or run cat ~/.claude.json via endpoint detection and response (EDR) tooling to inspect the file for unrecognized loopback addresses or local proxies within mcpServers definitions.
• Lifecycle Script Restrictions: Treat npm postinstall scripts as high-risk execution paths. Enforce strict package scanning and containerized package resolution pipelines before dependencies migrate onto endpoint workstations.
• Remediation Order of Operations: In cases of suspected compromise, security teams must isolate the workstation, remove the malicious node packages, scrub the ~/.claude.json file completely, and only then execute an enterprise-wide OAuth token rotation.
• Anomalous Log Correlation: Cross-reference SaaS authentication entries with internal developer activity patterns to flag instances where Anthropic egress IPs generate queries during atypical working hours.

Industry Context

This vector underscores a larger architectural trend highlighted by organizations like Check Point Research, who previously identified parallel risks (CVE-2025-59536 and CVE-2026-21852) relating to command execution via repository setting configurations. As software development workflows pivot from manual processes to autonomous agent execution, local endpoint configuration files are fast becoming the primary targets for next-generation supply chain attacks.

Conclusion

The ease with which local configuration mechanisms can be subverted points to a critical challenge in modern software security: securing developer environments against the dependencies they install. In an ecosystem where AI agents hold persistent access to enterprise infrastructure, securing the integrity of local files like ~/.claude.json is no longer a matter of basic maintenance—it is a cornerstone of corporate supply chain protection.

FAQ SECTION

1. How does the Claude Code MCP traffic hijack attack occur?

The attack begins when a developer installs an npm package containing a malicious postinstall script. This script silently modifies the ~/.claude.json configuration file, routing Model Context Protocol (MCP) data through an adversary’s proxy and seeding silent project approvals across common directory paths.

2. Why does normal OAuth token rotation fail to stop this exploit?

Because the malicious hook re-asserts itself every single time Claude Code loads a project, it remains active on the endpoint. If a token is rotated while the environment is infected, the local configuration script immediately redirects the automated refresh process, capturing the new token instantly.

3. What platforms are endangered by this configuration hijack?

Any cloud-hosted platform or SaaS product integrated with the developer’s Claude Code environment via the Model Context Protocol is vulnerable. This prominently includes internal resources hosted across Jira, Confluence, and GitHub repositories.

4. Why did Anthropic decline to release a security patch for this issue?

Anthropic evaluated the research from Mitiga Labs and determined the vector to be out of scope. The vendor noted that the exploit relies on a user executing untrusted code (the malicious npm package) locally, which constitutes a pre-compromised user execution environment.

5. How can I quickly check if my workspace is affected?

Developers should open a command-line terminal and check their global configuration by running cat ~/.claude.json. Ensure that every endpoint address under the mcpServers mapping points exclusively to authorized, explicitly configured, trusted external infrastructure.