Technical description
Claude Code stores MCP configuration and OAuth tokens in ~/.claude.json without adequate integrity protection. Attackers who can install a malicious npm package or modify the configuration file can redirect MCP traffic through attacker-controlled infrastructure, intercepting OAuth tokens that grant wide access to connected SaaS platforms (GitHub, Slack, Google Workspace, etc.).
Attack vector
Attacker installs tailored npm package on a developer machine where Claude Code is configured with dynamic authorization MCP servers, or modifies ~/.claude.json directly. MCP traffic is redirected through attacker infrastructure in a classic MITM pattern. Stolen tokens persist beyond the initial compromise, enabling long-term access to connected services.
Affected systems
Claude Code with dynamic OAuth-based MCP servers. Systems using static API keys or locally-scoped MCP servers are not affected. The issue was disclosed May 7, 2026 by Mitiga Labs.
Mitigation
Rotate all OAuth tokens used by Claude Code MCP servers immediately. Implement file integrity monitoring on ~/.claude.json. Restrict npm package installation sources. Audit MCP server configurations for unexpected proxy or endpoint changes. Anthropic has not yet issued a patch; monitor official channels for remediation guidance.