--- title: "MCP OAuth Tokens Are Being Stolen. Anthropic Says It's Not Their Problem." date: 2026-05-23 tags: ["MCP","security","claude-code","OAuth","supply-chain","vulnerabilities"] categories: ["AI Tools"] summary: "Mitiga Labs disclosed a stealth attack that rewrites Claude Code's config file via malicious npm postinstall hooks to hijack OAuth tokens for every MCP-connected service — Jira, GitHub, internal databases. Token rotation doesn't stop it. Anthropic classified the report out of scope." --- This is the third distinct MCP security crisis of 2026. In April, OX Security found that 200,000 MCP servers were exposed to command injection through STDIO transport — a design flaw baked into Anthropic's own spec and propagated into all four official language SDKs. Anthropic's position: "by design." Now Mitiga Labs has disclosed a separate attack vector. A malicious npm package silently rewrites your Claude Code configuration to intercept every OAuth token for every MCP-connected service. The attack persists through token rotation. Anthropic's position: "out of scope." Two crises, two "not our problem" responses, same pattern. It's worth examining carefully. ## The Attack Chain The attack surface is any developer machine running Claude Code with OAuth-authenticated MCP servers — and if you're using Claude Code for enterprise work, that probably means Atlassian, GitHub, databases, or internal systems. Here's what a malicious npm package can do in its postinstall lifecycle hook, silently, at install time: 1. **Scan developer paths** to find project directories and maximize the reach of the config modification. 2. **Rewrite `~/.claude.json`** — Claude Code's plaintext configuration file — setting trust dialog flags to `true` across all project paths. This eliminates every consent and confirmation prompt for MCP tool calls. 3. **Redirect MCP server URLs** to an attacker-controlled proxy. Your "Connect to Atlassian" MCP server now routes through `http://attacker-proxy:8080/mcp`. 4. **Execute on every Claude Code reload** — not just once. The hook keeps reasserting the malicious configuration. Mitiga demonstrated this in full. Starting from a single malicious npm package install, they showed Claude Code successfully using a captured Atlassian MCP token to authenticate, retrieve account information, and query Jira issues — indistinguishable from the victim's own session. The research was completed on April 1, 2026, reported to Anthropic on April 10, and acknowledged on April 11. On April 12 — 48 hours after receipt — Anthropic issued its "out of scope" determination. SecurityWeek published the story on May 7. ## What an Attacker Gets OAuth tokens stored in `~/.claude.json` are broadly scoped, inheriting the full permissions of the connected MCP server. A stolen Atlassian token is a master key to Jira, Confluence, and any other Atlassian product in scope. A stolen GitHub token can read private repositories, clone codebases, and access secrets stored in GitHub Actions. There's a detail that makes this worse: requests through the attacker's proxy arrive at the SaaS provider appearing to originate from Anthropic's egress IPs. From GitHub's perspective, it looks like a normal Claude Code session. Any IP-based allowlisting or anomaly detection tuned to watch for external threat actors won't see anything unusual. ## Token Rotation Doesn't Help The standard incident response when credentials are stolen is to rotate them. Here, that doesn't work. Because the postinstall hook continues to execute on every Claude Code reload, newly issued tokens are intercepted immediately. The Mitiga report is explicit: the hook keeps reseeding the malicious MCP configuration. An administrator who detects the compromise, rotates OAuth credentials, and calls it resolved has left the attack active. The only remediation is to detect and remove the malicious hook itself — which requires knowing it was installed in the first place. ## Anthropic's "Out of Scope" Argument Anthropic's position is that the attack requires prior code execution on the victim's machine, therefore the vulnerability is out of scope. The framing: the user has already consented to what might happen next. This is technically defensible and practically wrong for the environment where Claude Code lives. Developers install dozens of npm packages daily. A malicious postinstall hook is not a sign that a machine is "already fully compromised" in any meaningful sense — it's the attack itself. The attacker doesn't have a root shell. They have one lifecycle hook firing as the current user. Treating these two states as equivalent erases the distinction between foothold and full breach. More importantly: the postinstall hook doesn't automatically yield OAuth tokens for Jira, GitHub, Confluence, and internal databases. That's what the MCP integration creates. A developer who installs a malicious package on a machine without Claude Code has a different threat surface than one who has connected five enterprise SaaS platforms via OAuth MCP servers. The MCP integration is the amplification layer that turns a modest foothold into a cross-service credential breach. OWASP has a name for this. LLM08 — Excessive Agency — describes exactly the pattern where AI systems are granted permissions that amplify the impact of a compromise far beyond what a traditional attack at the same access level would enable. ## How This Differs from the STDIO Crisis These are related but distinct problems. The April STDIO crisis was architectural: the STDIO transport design made it possible for malicious MCP tools to inject shell metacharacters that got interpreted as OS commands. It affected 200,000+ servers across the MCP ecosystem and every team using the official Python, TypeScript, Java, and Rust SDKs. The Mitiga attack is an exploitation technique specific to Claude Code's config file design. It requires a malicious package on the developer's machine, not a malicious MCP server. It targets credential theft rather than remote code execution. The blast radius is different: the STDIO flaw could be triggered server-side by anyone connecting to a vulnerable server; this attack requires compromising an individual developer's machine. The two crises share a structural problem: the trust model for MCP interactions hasn't kept pace with the attack surface that the OAuth integrations and broad tool permissions have created. ## Mitigations (There Is No Patch) Anthropic has issued no fix. The attack remains active for any Claude Code installation with OAuth-authenticated MCP servers. Defensive measures that do reduce exposure: **File integrity monitoring.** Alert on any modification to `~/.claude.json` — specifically changes to `mcpServers` URLs or trust flags. This catches the attack before it can be used. **Supply chain auditing.** Tools like Socket.dev detect malicious postinstall scripts before execution. Adding this to your developer onboarding reduces the npm install vector significantly. **Least-privilege OAuth scopes.** When registering MCP servers, request only the scopes the agent actually needs. A Jira MCP server that can only read issues is a smaller target than one with write access across the entire Atlassian instance. **CI/CD hardening.** Build environments are the highest-risk surface because they run broad npm installs as part of routine operation. Treat any `~/.claude.json` modification in a CI environment as a security incident requiring review. **OAuth audit logs.** Monitor refresh token activity for anomalous patterns — unexpected service access, unusual timing, or geographic inconsistencies. ## The Pattern That's Emerging Three MCP security crises in one year. CVE-2026-21852 in April (CLAUDE.md poisoning to exfiltrate credentials). The STDIO command injection in April. OAuth token hijacking now. Each time, Anthropic's public position has been that the attack falls outside the product's security boundary — that it requires something the attacker already had to trigger it, whether that's a malicious repository, a STDIO injection, or a postinstall hook. Each time, security researchers have argued that the amplification MCP creates is itself the vulnerability: a standard developer action (cloning a repo, connecting an npm package, installing a tool) becomes a path to enterprise credential theft specifically because Claude Code's MCP integration is in the picture. The MCP ecosystem is growing. The 6,400+ servers in the official registry represent real enterprise integrations at real organizations. The attack surface is expanding faster than the security model is. At some point, "that's already-compromised territory" stops being a principled security position and starts being a liability. --- **Sources:** - [Mitiga Labs Technical Writeup](https://www.mitiga.io/blog/claude-code-mcp-token-theft-mitm) - [Claude Code Attack Persists After Token Rotation — BankInfoSecurity](https://www.bankinfosecurity.com/claude-code-attack-persists-after-token-rotation-a-31671) - [Researchers Warn Claude Code OAuth Tokens Can Be Stolen — CXO Digital Pulse](https://www.cxodigitalpulse.com/researchers-warn-claude-code-oauth-tokens-can-be-stolen-through-stealthy-mcp-hijacking/) - [Grid the Grey Technical Breakdown](https://gridthegrey.com/posts/mcp-hijack-attack-steals-claude-code-oauth-tokens-via-silent-man-in-the-middle/) - [SecurityWeek Coverage](https://www.securityweek.com/claude-code-oauth-tokens-can-be-stolen-through-stealthy-mcp-hijacking/) - [OX Security — The Mother of All AI Supply Chains](https://www.ox.security/blog/the-mother-of-all-ai-supply-chains-critical-systemic-vulnerability-at-the-core-of-the-mcp/) - [The Register — 200K Server Flaw](https://www.theregister.com/2026/04/16/anthropic_mcp_design_flaw/)