The Bottom Line: Malicious npm packages can overwrite Claude Code’s configuration file, steal OAuth tokens from the network, and use them to access all connected enterprise services while audit logs show clean Anthropic IP addresses.
Anthropic’s command-line tool Claude Code stores OAuth tokens for accessing external services (Jira, GitHub, Confluence) in plaintext. Researchers at Mitiga Labs have documented an attack chain in which manipulated npm packages intercept these tokens — Anthropic is not providing patches.
Claude Code is Anthropic’s command-line tool for AI-assisted coding and is being rapidly adopted by developers. It connects to external services via the Model Context Protocol (MCP) — the standard that connects AI tools with Jira, Confluence, GitHub, databases, and internal APIs. When connecting a service, Claude Code goes through an OAuth flow, the user approves the access scopes, and the tool receives a bearer token for subsequent requests. The problem: this token is stored in plaintext in the ~/.claude.json file on the developer’s machine.
The research group Mitiga Labs has demonstrated how attackers can intercept this token. The attack chain begins with a manipulated npm package that appears legitimate. Hidden in the post-install hook, the ~/.claude.json file is rewritten — the control center for Claude Code’s MCP routing. Through this modification, Claude Code no longer forwards authenticated requests to the real service, but instead directs them to the attacker’s infrastructure. The OAuth tokens stored in the file are thus intercepted during transmission. The attacker gains valid, long-term usable bearer tokens for all SaaS platforms that the developer had connected.
Detection of this attack is particularly difficult. In the audit logs of the target service, the IP address appears from Anthropic’s egress range, the user is genuine, the session is valid. Nothing in this log entry looks wrong — yet the real action is that of the attacker, who is using a token that was already redirected before reaching the actual service. Mitiga reported the issue to Anthropic on April 10; Anthropic responded on April 12 that it was outside the scope because prior code access via package installation is required, which the user consented to. No patch exists; the attack chain is active.
This is not the first security issue of this kind with Claude Code. In February 2026, Check Point Research published two separate vulnerabilities: CVE-2025-59536 allowed remote code execution through manipulated hooks in repository configuration files — code that ran before the trust dialog. CVE-2026-21852 enabled API key exfiltration by overwriting a single environment variable, with authenticated requests redirected before the consent prompt. Simply cloning and opening an untrusted repository was sufficient. Anthropic patched these after disclosure, but the pattern remains: configuration files treated as passive metadata function as active execution paths.
For CISOs, this is relevant because the attack mechanism resembles AiTM phishing: credentials are not stolen directly, but an adversary positions itself between user and service, waits for successful authentication, and steals the session token. With Claude Code, this affects not browser sessions, but developer tools — and these sit close to critical enterprise resources and long-term authentications.
Source: www.csoonline.com · Published June 5, 2026
Lumi AI News — AI-assisted curation pursuant to Art. 50 EU AI Act. Paraphrase and classification by Lumi News Pipeline v1.6.1.