Mitiga researchers disclosed a vulnerability in Claude Code where attackers can hijack MCP traffic by modifying the ~/.claude.json configuration file to redirect OAuth token traffic through attacker-controlled infrastructure. This is achieved by installing a malicious npm package that sets lifecycle hooks to alter trust dialogs and MCP server URLs silently. The attacker gains persistent man-in-the-middle access to OAuth tokens stored in plaintext, enabling them to access connected SaaS platforms with the victim's permissions. The attack is stealthy, maintaining persistence by automatically restoring malicious settings if changed. Anthropic has declined to address the issue, citing user consent as justification. No patch or official remediation is currently available.

An attacker who successfully exploits this vulnerability can steal OAuth tokens that serve as master keys to all SaaS platforms connected through Claude Code's MCP. This enables persistent, stealthy access to victim SaaS accounts with the same permissions as the user, bypassing multi-factor authentication. The victim remains unaware as the attack does not disrupt normal operation or trigger visible alerts. The attacker can maintain access even after token rotation or configuration changes, posing a significant risk of unauthorized data access and potential lateral movement within connected SaaS environments.

No official fix or patch is currently available, as the vendor Anthropic has classified this issue as out of scope. Mitiga recommends monitoring Claude Code configuration changes, especially modifications to the MCP server URL and the ~/.claude.json file, as well as observing OAuth token refresh behavior and suspicious SaaS API activity. Users should be cautious about installing untrusted npm packages and consider restricting or auditing npm package installations on machines running Claude Code. Since the vulnerability relies on local compromise, endpoint security controls to prevent unauthorized software installation can reduce risk.