A novel man-in-the-middle (MitM) attack chain targeting Anthropic’s Claude Code ecosystem, where adversaries hijack Model Context Protocol (MCP) traffic to steal OAuth authentication tokens and maintain persistent access to enterprise SaaS platforms including Atlassian Jira and Confluence.
According to Mitiga, the technique abuses weak protections around Claude Code’s local configuration file (~/.claude.json), effectively transforming it into a control plane for redirecting authenticated API traffic through attacker-controlled infrastructure.
The attack begins with a supply chain vector, typically a malicious npm package embedding a post-install hook. Upon execution, the hook silently modifies local Claude Code settings, preseeds trusted project paths, and rewrites MCP server configurations
By setting trust flags in advance, the attacker bypasses user consent prompts, ensuring future project loads automatically execute embedded malicious hooks.
The critical second stage involves rewriting MCP endpoints inside ~/.claude.json to redirect traffic toward an attacker-controlled proxy, such as a local mitmproxy instance.
When Claude Code initiates or refreshes an MCP session, OAuth bearer tokens and refresh tokens are transmitted through this proxy, exposing Authorization headers in transit.
Once captured, these tokens grant scoped, persistent access to connected services. Because MCP requests route through Anthropic-controlled egress infrastructure, intercepted traffic appears to originate from a trusted source, making malicious activity virtually indistinguishable from legitimate behavior in provider-side audit logs.
Unlike traditional credential theft, this attack exploits legitimate OAuth flows. Claude Code stores bearer and refresh tokens in plaintext within ~/.claude.json tokens that are long-lived, automatically refreshed, and reused across sessions without re-consent.
Persistence is achieved through continuous reseeding. The malicious hook re-executes on every Claude Code session start, restoring rogue MCP configurations even after manual remediation attempts.
Token rotation, a standard incident response measure, fails entirely here; refreshed tokens are simply re-captured through the same proxy mechanism, transforming a one-time compromise into a durable, indefinite access channel.
From a detection standpoint, traditional indicators offer minimal visibility. Provider logs reflect valid sessions, legitimate user identities, and trusted IP ranges. Endpoint telemetry appears benign, with the only observable anomaly being subtle modifications to ~/.claude.json.
Defenders should immediately implement the following controls:
- Baseline and monitor approved MCP server endpoints and alert on any unauthorized changes or introduction of localhost/non-standard proxy URLs
- Deploy file integrity monitoring (FIM) on
~/.claude.jsonand related Claude Code configuration paths - Alert on anomalous OAuth refresh patterns, particularly repeated token refreshes originating from modified configurations
- Audit downstream SaaS activity for behaviors inconsistent with user roles, such as unexpected Jira queries or bulk data access
Mitiga discovered the vulnerability on March 23, 2026, and reported it to Anthropic on April 10, 2026. Anthropic classified the issue as out of scope, citing the prerequisite of user-level code execution, a determination the security community is likely to scrutinize given the severity of real-world impact.
The attack surface here extends well beyond Claude Code. As AI-assisted development tools grow more deeply integrated with enterprise systems, implicit trust boundaries are being extended without sufficient monitoring controls.
This research underscores an urgent need for developer environment hardening, supply chain integrity verification, and MCP-aware security tooling across AI-enabled workflows.
No Comment! Be the first one.