The technique targets the way Anthropic’s Claude Code interacts with Model Context Protocol servers, a fast-growing mechanism used to connect AI agents with external systems such as Jira, Confluence, GitHub, databases and internal application programming interfaces. The risk centres on the local Claude Code configuration file, ~/. claude. json, which can act as a control point for MCP routing, trusted project settings and stored authentication material.
Mitiga Labs detailed a proof-of-concept chain in which an attacker first persuades a developer to install a malicious npm package. The package uses a post-install hook to alter Claude Code configuration and seed trusted paths. When the developer later opens a project in one of those paths, Claude Code may treat the directory as already trusted, allowing a hook to rewrite MCP server settings and route traffic through attacker-controlled infrastructure.
Once the altered configuration is active, Claude Code continues to operate as expected from the user’s perspective. The MCP integration still works, the SaaS provider sees what appears to be legitimate authenticated activity, and audit logs may show traffic associated with trusted Anthropic infrastructure. Behind that normal activity, however, OAuth bearer tokens can pass through the attacker’s proxy.
The significance lies less in a single credential theft attempt and more in the persistence model. OAuth tokens used by MCP integrations may be broadly scoped and reusable across sessions. If a token expires, the refresh process can also be routed through the compromised path. If the user rotates the token without removing the malicious hook and restoring the MCP endpoint, the attacker may be able to capture the replacement token as well.
The attack does not rely on a new memory corruption flaw or privilege escalation bug. Its prerequisites are narrower but realistic in developer environments: a successful package installation on a machine where Claude Code is already configured with OAuth-backed MCP servers, combined with writable local configuration files and project hooks. That makes the issue difficult to classify under traditional vulnerability models, because the first foothold may come through accepted package-install behaviour.
Anthropic has treated the disclosure as outside the scope of a product vulnerability because the chain begins with user-level code execution and consent-like actions on the endpoint. Security teams may view the matter differently. The practical impact is that a local configuration change can convert a legitimate AI workflow into a durable credential relay, while downstream SaaS systems continue to see valid user activity.
The discovery adds to a broader pattern of concern around agentic coding tools. Claude Code and comparable systems are designed to edit files, run shell commands, call APIs and work across repositories with limited friction. That power creates productivity gains for developers, but it also expands the number of places where trust, identity and execution decisions intersect. Hooks, project settings, environment variables and MCP servers are now part of the enterprise attack surface.
Separate research into Claude Code earlier this year showed how project-level configuration and hooks could be abused for remote command execution and API token exfiltration when users opened untrusted repositories. Those issues were patched before public disclosure, but the wider lesson remains: AI development assistants are not only code generators. They are privileged operators sitting close to source code, credentials and internal systems.
The MCP ecosystem has also grown quickly as companies look for standardised ways to connect AI agents to business tools. That adoption has created new defensive gaps. Traditional endpoint controls may not understand agent-specific configuration files, while SaaS monitoring may struggle to distinguish a legitimate AI-driven request from an attacker replaying or relaying the same token through a trusted path.
Defenders are being urged to monitor changes to Claude Code configuration files, project-level MCP settings, unexpected localhost proxies, new MCP server URLs, OAuth refresh patterns and SaaS actions that do not match a user’s normal work. Baselines of approved MCP endpoints can help teams detect silent redirection, particularly where development machines are allowed to install packages and connect AI tools to enterprise applications.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
