◈ AI Security Intelligence ← Daily feed
Vulnerability  ·  2026-06-07

Claude Code MCP ~/.claude.json Config Hijacking — Unpatched npm Post-Install Hook Intercepts SaaS OAuth Tokens in Developer Environments

VulnerabilityHigh impactGlobalNot yet assigned (Mitiga Labs disclosure; prior related CVEs: CVE-2025-59536, CVE-2026-21852)
Technical description
Researchers at Mitiga Labs (disclosed May 12, now widely circulated by CSO Online June 5) demonstrated that a malicious npm package containing a post-install hook can silently rewrite ~/.claude.json — the configuration file that controls how Claude Code routes all MCP (Model Context Protocol) traffic. The rewritten file redirects Claude Code's authenticated requests to attacker-controlled infrastructure instead of legitimate SaaS endpoints. OAuth bearer tokens for all connected services (Jira, Confluence, GitHub, databases, internal APIs) are intercepted in transit. Critically, provider-side audit logs show the attacker's requests as originating from Anthropic's legitimate egress IP ranges with valid user sessions — the attacker is invisible in logs. Anthropic declined to patch, citing the attack requiring prior code execution via consented package installation.
Attack vector
Malicious npm package with hidden post-install hook rewrites ~/.claude.json to point MCP traffic to attacker infrastructure; triggered during any npm install workflow. No elevated privileges required — the configuration file is user-writable by design. OAuth tokens in the same file are intercepted and usable for long-lived SaaS access even after token rotation attempts, because the hook may re-intercept subsequent OAuth flows.
Affected systems
Anthropic Claude Code CLI (all versions as of June 6, 2026); any developer environment that has run npm install of an untrusted package while Claude Code MCP integrations are configured; connected SaaS platforms (Jira, Confluence, GitHub, databases) using OAuth tokens stored in ~/.claude.json.
Mitigation
No patch from Anthropic as of June 6. Recommended mitigations: (1) monitor ~/.claude.json for unexpected modifications using file-integrity monitoring or auditd; (2) baseline legitimate MCP server endpoints and alert on changes; (3) disable or audit npm post-install scripts using --ignore-scripts flag; (4) rotate OAuth tokens after any untrusted package installation and verify ~/.claude.json integrity before rotation; (5) consider restricting Claude Code to isolated developer environments or containers.
Sources
Mitiga Labs: Claude Code MCP Token Theft — MitM Attack ExplainedCSO Online: Claude Code has an MCP security problem — and your developers are already using it
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →