Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP Hijacking

Claude Code’s rise as an agentic development assistant has expanded productivity but also broadened the attack surface for enterprises. Unlike traditional IDEs, Claude Code relies on a Managed Credential Proxy (MCP) that authenticates via OAuth tokens stored locally. Because the token resides in clear text within the user’s home directory, any compromise of that file instantly grants a malicious actor the same permissions the user enjoys across all integrated SaaS tools, effectively turning the token into a master key.

Mitiga’s research details a supply‑chain style exploit that leverages npm’s lifecycle hooks. An attacker publishes a crafted npm package that, upon installation, silently edits ~/.claude.json to point the MCP server at an attacker‑controlled proxy. The hook also sets a trust flag to suppress user prompts, ensuring the redirection remains invisible. When Claude Code initiates or refreshes its session, the token flows through the proxy, is harvested, and is re‑injected on subsequent rotations, providing persistent, undetectable access. The technique requires only the ability to install the malicious package on a machine where Claude Code is configured, a realistic scenario in many development environments.

The broader implications are stark: organizations must treat AI‑assisted development tools as critical security assets. Immediate mitigations include monitoring configuration file changes, enforcing strict npm package provenance, and employing endpoint detection that flags unauthorized proxy settings. Anthropic’s dismissal of the issue as out of scope underscores a growing gap between rapid AI feature rollout and responsible security stewardship. Enterprises should demand transparent vulnerability handling and consider isolating Claude Code in sandboxed environments until robust token protection mechanisms are implemented.