Claude Code OAuth tokens stolen via stealthy MCP man-in-the-middle hijacking

Mitiga Labs found a Claude Code attack path where a malicious npm package redirects MCP traffic through an attacker proxy, silently stealing OAuth tokens and SaaS credentials.

Claude Code / MCPCredential exposureOAuth credential exfiltration via MCP proxyDeveloper workstation / SaaS tools connected via MCP

What happened

Attacker installs a malicious npm package; its postinstall hook modifies ~/.claude.json to inject an attacker-controlled proxy into MCP server configuration. All OAuth tokens transit to attacker infrastructure on every MCP session.

Why it matters

Silent, persistent credential exfiltration across all SaaS tools connected to the developer's MCP. Attacker gains MFA-bypassing access indistinguishable from legitimate traffic. Recovery requires full credential rotation across every connected service.

Missing authorization check

Any change to MCP server configuration — especially server URLs — should require explicit user approval naming the new endpoint. OAuth tokens should not be stored in plaintext in a filesystem-accessible config file without integrity protection.

Would PP block it?

PP's authority receipts address the "what can this agent do" question at tool-call time, but the attack vector is upstream — a malicious npm package modifies the agent's own config before any tool call is made. If MCP server URL changes required a signed change approval from a workspace administrator, this attack would fail. PP's scope of enforcement currently sits at tool-call dispatch, not at agent configuration mutation.

Incident analysis

Timeline and technical read

Timeline

2026-04-10
Mitiga Labs reports vulnerability to Anthropic
2026-04-12
Anthropic responds: issue is "out of scope"
2026-05-08
Mitiga Labs publishes full technical disclosure
2026-05-08
SecurityWeek covers the disclosure

Technical breakdown

Malicious npm package installs a postinstall lifecycle hook targeting Claude Code config locations
Hook modifies ~/.claude.json to replace legitimate MCP server URLs with attacker-controlled proxy
OAuth tokens stored in plaintext in ~/.claude.json transit through proxy on every MCP session
Hook automatically rewrites config on next load if user rotates tokens or edits URLs — attacker maintains persistent access
Anthropic's position: user consented by trusting the npm package; this is "out of scope"

Authorization boundary

Where the authorization boundary should have been

This incident is categorized as Credential exposure. The relevant Permission Protocol gate is Credential Gate. The read is conditional: the block only applies where the real action boundary is routed through a gate.

If enforced at: MCP server configuration, npm package installation, OAuth token storage
Still needs: Config-file integrity checks, MCP server URL change approval, npm install hook sandboxing
Receipt required for: Any MCP server URL modification or addition to Claude Code configuration

PP can gate explicit tool calls and enforce least-privilege token scopes but does not currently intercept npm install hooks or protect config file integrity at rest.

Related incidents and controls

High2026-05-07

TrustFall Coding Agent Security Flaw Enables One-Click RCE

High2025-10-08

CamoLeak: GitHub Copilot Flaw Allowed Silent Data Theft

High2026-03-30

OpenAI Codex Vulnerability Allowed Attackers to Steal GitHub Tokens

Least-Privilege Token Scoping Authority Receipts

Start small

Put the relevant gate at this action boundary.

This incident maps to Credential Gate. Start with the boundary that controls the actual action, then require a signed receipt before execution.

Replay this incident with a signer in the loop