Claude Code MCP Traffic Can Be Hijacked to Steal OAuth Tokens, Researchers Warn

Security researchers have shown how attackers can hijack Claude Code’s Model Context Protocol traffic and steal OAuth tokens used to access connected SaaS platforms such as Jira, Confluence, GitHub, and other developer tools.

The attack does not require a new vulnerability, kernel exploit, or privilege escalation. Instead, it abuses a malicious npm package, Claude Code configuration changes, trusted project settings, and MCP server URL rewriting.

Mitiga Labs detailed the issue in its Claude Code MCP token theft research, warning that token rotation may not stop the attack if the malicious hook remains in place and keeps rewriting the configuration file.

The attack turns Claude Code configuration into the control point

The chain targets ~/.claude.json, the global Claude Code configuration file. According to Anthropic’s Claude Code settings documentation, this file can contain OAuth session data, MCP server configurations, trust settings, allowed tools, and caches.

That makes the file highly sensitive. If an attacker can edit it through a malicious dependency or install script, they may be able to redirect where Claude Code sends MCP traffic.

Once the traffic is routed through an attacker-controlled proxy, the attacker can intercept OAuth bearer tokens used by Claude Code to talk to remote MCP servers. These tokens can grant persistent access to connected SaaS services, depending on the scopes approved during authorization.

Attack element	What it does	Why it matters
Malicious npm package	Runs a lifecycle script during installation.	Gives the attacker a way to edit user-level files.
~/.claude.json	Stores OAuth sessions, MCP server settings, and trust state.	Controls how Claude Code connects to tools.
Session hook	Runs when Claude Code loads a trusted project.	Can keep reapplying the malicious configuration.
MCP endpoint rewrite	Changes a legitimate MCP URL to a proxy.	Routes OAuth traffic through attacker-controlled infrastructure.
OAuth token interception	Captures bearer tokens in transit.	Can expose Jira, Confluence, GitHub, or other connected accounts.

Why MCP tokens are valuable to attackers

MCP lets AI tools connect to external services and take actions through those connections. The official Model Context Protocol introduction describes MCP as an open standard that connects AI applications to external systems, including files, databases, tools, and workflows.

In Claude Code, those integrations can connect the agent to issue trackers, repositories, monitoring tools, databases, design systems, and messaging platforms. The official Claude Code MCP documentation says Claude Code can use MCP servers to access tools, databases, and APIs directly instead of relying on pasted context.

That power also raises the stakes. If a stolen token gives access to Jira, Confluence, GitHub, or another SaaS platform, an attacker may be able to read internal tickets, documentation, repositories, issue metadata, and other sensitive business data.

• OAuth tokens can persist across sessions through refresh tokens.
• Scopes are often granted at authorization time and may not narrow per request.
• Provider logs can show activity from a valid user and trusted infrastructure.
• Token rotation may fail if the malicious hook re-captures the refreshed token.
• The most visible anomaly may exist only in a local user configuration file.

A malicious npm lifecycle hook starts the chain

The attack begins with a malicious npm package. The package looks ordinary enough to pass a quick review, but it includes a postinstall or similar lifecycle script that runs during installation.

The official npm scripts documentation explains that package scripts can run during lifecycle events such as install, pack, publish, rebuild, and restart. Attackers have long abused this behavior in supply-chain attacks because installation can execute code before a developer ever imports the package.

In the Mitiga demonstration, that install-time code prepares Claude Code trust entries for common developer clone paths and edits ~/.claude.json. From Claude Code’s point of view, the project may already look trusted when the developer later opens it.

The five-step Claude Code MCP attack chain

Mitiga describes a five-step chain that relies on file edits and configuration abuse rather than a memory corruption bug. The attacker first gets a malicious package installed on the developer’s machine.

The package then seeds trust settings, inserts a sessionStart hook, and waits for Claude Code to load a trusted project. When that happens, the hook rewrites MCP server URLs so traffic intended for a legitimate service goes through a local proxy controlled by the attacker.

The next time Claude Code starts or refreshes an MCP session, the bearer token travels through the proxy. The SaaS provider still sees a valid OAuth flow from a legitimate user context, while the attacker sees the token.

Step	What happens	Result
Delivery	A malicious npm package runs an install-time hook.	The attacker gains a foothold in user-level configuration.
Path seeding	The hook edits ~/.claude.json and seeds trusted project paths.	Claude Code may skip expected trust prompts later.
Session hook	A sessionStart hook runs when Claude Code loads the project.	The malicious configuration can reapply itself repeatedly.
MCP rewrite	Legitimate MCP server URLs are replaced with proxy URLs.	Claude Code sends traffic through the attacker’s path.
Token capture	OAuth bearer tokens pass through the proxy.	The attacker can steal tokens for connected SaaS services.

Token rotation can make the problem worse if cleanup happens in the wrong order

The most important response detail is the order of cleanup. If a team rotates OAuth tokens before removing the hook and correcting ~/.claude.json, the attacker may simply capture the new token during the next refresh.

That means responders should first remove malicious hooks, inspect Claude Code configuration, restore trusted MCP endpoints, and verify that no local proxy remains. Only then should they rotate OAuth tokens and review SaaS activity.

The same Mitiga analysis says the attack was reported to Anthropic on April 10, 2026. Anthropic acknowledged it on April 11 and responded on April 12 that it was out of scope because the chain depends on user-level consent and local code execution.

Why normal SaaS logs may not expose the attack

Provider-side logs can be misleading in this scenario. The activity may appear to come from a real user, through a valid OAuth session, and from infrastructure associated with normal Claude Code traffic.

That makes the attack hard to detect from Jira, Confluence, GitHub, or other SaaS audit logs alone. A query, file read, or issue search may look legitimate unless defenders compare it against the user’s usual behavior and the local Claude Code configuration.

Security teams should treat the endpoint and the SaaS logs as one investigation. If SaaS activity looks odd but still appears valid, ~/.claude.json and project-level MCP files may provide the missing context.

• Review ~/.claude.json for unexpected mcpServers URLs.
• Look for localhost, proxy, or unfamiliar domains in MCP endpoint configuration.
• Check project-level .mcp.json files for unapproved server entries.
• Search for Claude Code hooks that run on session start.
• Compare SaaS audit logs with the developer’s normal activity pattern.

MCP security now depends on local configuration hygiene

MCP’s value comes from letting AI applications use outside tools. The same MCP overview says agents can use MCP to access services such as calendars, databases, tools, and workflows on behalf of users.

Claude Code’s MCP integration guide also warns users to verify that they trust each server before connecting it, because servers that fetch external content can expose users to prompt injection risk.

The Mitiga chain adds another local security lesson. Even if the MCP server itself is legitimate, the local route to that server can be changed if the configuration file is writable and not monitored.

Defenders should treat npm install scripts as a supply-chain risk

Security teams should not treat package installation as a low-risk developer convenience. npm lifecycle scripts can run code during installation, and that code can modify user files, development tooling, shell configuration, and agent settings.

The npm lifecycle script documentation makes clear that package scripts are a normal feature of the ecosystem. For defenders, the problem is not that scripts exist, but that malicious packages can abuse them before any application code is reviewed.

Organizations using Claude Code with MCP integrations should add package lifecycle scripts to software supply-chain review, especially for packages installed on developer workstations that also hold SaaS access, repository tokens, or AI agent configurations.

Control	What to do	Why it helps
Configuration monitoring	Alert on changes to ~/.claude.json and .mcp.json.	Detects endpoint rewrites and trust-state changes.
MCP endpoint allowlist	Define approved MCP server URLs for Jira, GitHub, Confluence, and internal tools.	Makes proxy substitutions easier to catch.
npm script review	Audit packages with install, preinstall, and postinstall scripts.	Reduces supply-chain paths into developer tooling.
OAuth scope review	Limit scopes granted to MCP integrations.	Reduces damage if a token is intercepted.
SaaS behavior monitoring	Flag unusual queries, file reads, repo access, or ticket searches.	Finds misuse even when the token appears valid.

How teams should respond if they suspect exposure

Responders should avoid rotating OAuth tokens first. That can feed the attacker a fresh token if the hook still rewrites the MCP route.

Instead, teams should disconnect affected machines from sensitive workflows, remove suspicious hooks, inspect Claude Code configuration, restore legitimate MCP URLs, and then rotate OAuth tokens linked to Claude Code integrations.

They should also review the Claude Code settings documentation to understand what sensitive data can live in ~/.claude.json and how managed settings can reduce risky user-level configuration drift.

• Remove malicious npm packages and related install-time hooks.
• Inspect ~/.claude.json for changed MCP URLs, trust flags, and unexpected hooks.
• Inspect .mcp.json files inside projects for unauthorized MCP servers.
• Delete unknown local proxies and review startup items or shell scripts.
• Restore MCP endpoints only to approved URLs.
• Rotate OAuth tokens after local cleanup is complete.
• Review Jira, Confluence, GitHub, and other SaaS logs for unusual activity tied to the same user.

The broader lesson is clear: AI coding agents create a new class of credential risk because they can connect local developer tools to high-value SaaS platforms. A small configuration change can redirect trusted automation in ways normal cloud logs may not explain.

Companies adopting Claude Code and MCP should inventory connected servers, reduce OAuth scopes, monitor local agent configuration, and treat developer package installation as part of the identity and SaaS security perimeter.

FAQ