Application Security Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP Hijacking Mitiga researchers say attackers can silently redirect Claude Code MCP traffic, intercept OAuth tokens, and maintain persistent access to connected SaaS platforms. By Kevin Townsend | May 7, 2026 (10:33 AM ET) Flipboard Reddit Whatsapp Whatsapp Email An OAuth token with wide access rights can be stolen stealthily and largely undetectably from Claude Code. Claude Code is an agentic system. This is great for developers but concerning for security teams. Agentic systems can expand the attack surface while operating largely invisibly. A major issue is the OAuth token. If an attacker can acquire this, the adversary effectively has a master key or digital proxy granting access to every tool connected to or accessible from the Claude Code MCP. Mitiga Labs has identified an issue within Claude Code that would allow attackers to redirect output, including the tokens, to their own infrastructure before everything is sent on to the legitimate destination. It’s a classic man-in-the-middle-attack giving the attacker access to the tokens. The MCP configuration and the OAuth tokens are stored in ~/.claude.json. If an adversary can modify that file, MCP traffic can be redirected through the attacker’s own infrastructure. Mitigate has published details of how this could be achieved. The two prerequisites for the attacker is the ability to install a tailored npm on a machine where Claude Code is configured with dynamic authorization MCP servers. The NPM registers a lifecycle hook that runs as part of the install. A post installation hook locates common clone locations, and populates the paths with a pre-configured trust dialog set to true. “No prompt will fire when the directory is later opened, because the flag the prompt is gated on is already set,” reports Mitiga. Advertisement. Scroll to continue reading. The hook also opens ~/.claude.json and edits the MCP server in the global config file. It edits ‘mcpServers’ to include the proxy address. “This puts us, ‘the adversary’, in the middle of any request that goes out to the MCP server. As the attacker, we got mitmproxy configured and intercepting,” explains Mitiga. Whenever Claude Code initiates or refreshes the MCP session, it connects to the proxy and the token transits to the attacker’s infrastructure. The user just sees a valid flow. If the user rotates the token, the hook writes it back on the next load. If the user edits the MCP URL, the hook loads it back on the next load. The attacker has achieved both stealth and persistence. The attacker gets, “A durable redirection of the victim’s SaaS credentials into attacker-controlled infrastructure, with automatic recovery from token rotation, invisible to the victim’s endpoint UI, and indistinguishable from legitimate traffic on the provider’s side.” As a man in the middle, the attacker can easily steal any OAuth token since it is stored in plain text within ~/.claude.json. Once stolen the attacker can use the token as an MFA-bypassing golden key into any tool to which the MCP connects, with the same permissions as the user. Without care, the user sees nothing. No flags are raised since the MCP is simply doing what it is told to do, and the user isn’t aware these actions have been compromised. The new adage of assuming a compromise has happened should take center stage. “Monitor Claude Code configuration changes, MCP server URL changes, OAuth refresh behavior, suspicious SaaS API activity, and unexpected traffic through MCP integrations,” suggests Mitiga. What you mustn’t do is wait for a solution from Anthropic. Mitiga reported its findings to Anthropic on April 10, 2026. On April 12, 2026, Anthropic replied it was ‘out of scope’. The reason given was effectively the same as its response to Adversa’s ‘ TrustFall ’ disclosure: the user has already consented to what might happen next. Learn More at the AI Risk Summit at Half Moon Bay Related : AI Coding Agents Could Fuel Next Supply Chain Crisis Related : Google OAuth Flaw Leads to Account Takeover When Domain Ownership Changes Related : Millions of Websites Susceptible to XSS Attack via OAuth Implementation Flaw Related : More Cybersecurity Firms Hit by Salesforce-Salesloft Drift Breach Related : Shadow AI Risk: How SaaS Apps Are Quietly Enabling Massive Breaches Written By Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. More from Kevin Townsend Hacker Conversations: Joey Melo on Hacking AI Anthropic Unveils Claude Security to Counter AI-Powered Exploit Surge AI Fuels ‘Industrial’ Cybercrime as Time-to-Exploit Shrinks to Hours Cyber Insurance Data Gives CISOs New Ammo for Budget Talks Sevii Launches Cyber Swarm Defense to Make Agentic AI Security Costs Predictable The Behavioral Shift: Why Trusted Relationships Are the Newest Attack Surface Are SBOMs Failing? Supply Chain Attacks Rise as Security Teams Struggle With SBOM Data CoChat Launches AI Collaboration Platform to Combat Shadow AI Latest News Boost Security Raises $4 Million for SDLC Defense Platform Chrome 148 Rolls Out With 127 Security Fixes Attackers Could Exploit AI Vision Models Using Imperceptible Image Changes Vendor Says Daemon Tools Supply Chain Attack Contained AI Coding Agents Could Fuel Next Supply Chain Crisis Webinar Today: Securing Identity Across Humans, Machines and AI Cisco Patches High-Severity Vulnerabilities in Enterprise Products Gemini CLI Vulnerability Could Have Led to Code Execution, Supply Chain Attack Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: ROSI for CPS Security Programs May 13, 2026 In cyber-physical systems (CPS), just one hour of downtime can outweigh an entire annual security budget. Learn how to master the Return on Security Investment (ROSI) to align security goals with the bottom-line priorities. Register Virtual Event: Threat Detection and Incident Response Summit May 20, 2026 Delve into big-picture strategies to reduce attack surfaces, improve patch management, conduct post-incident forensics, and tools and tricks needed in a modern organization. Register People on the Move Bitdefender has appointed Frank Koelmel as Chief Revenue Officer of Business Solutions Group. John Hernandez has joined BlueVoyant as Chief Executive Officer. Remedio has appointed of Cynthia Stanton as Chief Marketing Officer. More People On The Move Expert Insights The Mythos Moment: Enterprises Must Fight Agents with Agents Only with the right platform and an agentic, AI-driven defense, will enterprises be able to protect themselves in the agentic era. (Etay Maor) Why Cybersecurity Must Rethink Defense in the Age of Autonomous Agents From autonomous code generation to decision-making systems that initiate actions without human intervention, the industry is entering a new phase. (Torsten George) Government Can’t Win the Cyber War Without the Private Sector Securing national resilience now depends on faster, deeper partnerships with the private sector. (Steve Durbin) The Hidden ROI of Visibility: Better Decisions, Better Behavior, Better Security Beyond monitoring and compliance, visibility acts as a powerful deterrent, shaping user behavior, improving collaboration, and enabling more accurate, data-driven security decisions. (Joshua Goldfarb) The New Rules of Engagement: Matching Agentic Attack Speed The cybersecurity response to AI-enabled nation-state threats cannot be incremental. It must be architectural. (Nadir Izrael) Flipboard Reddit Whatsapp Whatsapp Email