Claude Code Has an MCP Security Problem — and Your Developers Are Already Using It

Claude Code has quickly become a staple in modern development pipelines, offering AI‑driven code suggestions directly from the command line. Its integration model relies on the Model Context Protocol, which authenticates to enterprise tools via OAuth tokens saved in a local JSON file. While this design streamlines workflow, the plaintext storage of tokens creates a single point of failure that can be weaponized by malicious actors who gain file‑system access. The convenience of auto‑generated credentials therefore masks a critical exposure that extends beyond the tool itself.

The Mitiga Labs proof‑of‑concept illustrates how a seemingly innocuous npm package can compromise Claude Code. By embedding a post‑install script, the package silently overwrites ~/.claude.json, redirecting authenticated requests to an attacker‑controlled endpoint. Because the OAuth flow still completes successfully, provider logs show legitimate Anthropic egress IPs and valid user sessions, making detection extremely difficult. This attack mirrors classic adversary‑in‑the‑middle tactics but targets developer tooling, which sits closer to source code and production APIs than typical browser sessions, amplifying potential damage.

Enterprises must treat developer‑tool supply‑chain risks as a priority. Immediate controls include monitoring changes to the Claude configuration file, enforcing strict review of npm packages that contain post‑install hooks, and rotating OAuth tokens after any suspicious activity. Longer‑term, vendors need to redesign token storage—preferably using encrypted vaults or OS‑level secret managers—and provide timely patches for identified flaws. By combining vigilant detection with proactive credential hygiene, security teams can mitigate the elevated risk that AI‑assisted development tools like Claude Code introduce to modern software ecosystems.