Architectural Vulnerabilities in AI Tooling: Analyzing the Claude Code MCP Token Hijacking Chain

Recent security research has identified a sophisticated Man-in-the-Middle (MitM) attack vector targeting the Claude Code ecosystem. By exploiting the Model Context Protocol (MCP), adversaries are able to intercept authenticated traffic, leading to the exfiltration of OAuth tokens and granting persistent, unauthorized access to critical enterprise SaaS environments.

This specific exploit chain, documented by Mitiga, leverages architectural weaknesses in how Claude Code manages local configurations. By targeting the ~/.claude.json file, attackers can effectively hijack the control plane used to route authenticated API requests.

What makes this attack particularly insidious is its ability to blend into the noise of legitimate operations. Unlike brute-force or traditional credential stuffing, this technique utilizes valid OAuth flows and traverses trusted Anthropic-managed egress infrastructure. Consequently, malicious requests appear in audit logs (such as Atlassian Jira or Confluence) as legitimate user activity, making detection via standard provider-side logging exceptionally difficult.

The Mechanics of MCP Token Exfiltration

The primary target of this attack is the MCP OAuth token. These tokens represent high-value assets, providing scoped, long-lived access to integrated third-party services. Currently, when a user authorizes an MCP integration, Claude Code persists both bearer and refresh tokens in plaintext within the ~/.claude.json configuration file.

Because these tokens are designed for seamless developer workflows, they are automatically refreshed and reused across sessions without requiring new user consent. Furthermore, because MCP requests are routed through Anthropic’s infrastructure, the “source IP” of the malicious activity remains a trusted entity, bypassing many IP-based reputation filters.

The attack execution follows a structured multi-stage process:

1. Initial Access via Supply Chain: The lifecycle typically begins with a malicious npm package. By utilizing a postinstall script, the package gains immediate execution privileges upon installation.
2. Environment Manipulation: Once active, the malicious script modifies the local ~/.claude.json file. It pre-seeds trusted project paths and silently alters MCP server configurations to bypass security prompts.
3. Traffic Redirection: The attacker rewrites the MCP endpoints within the configuration file to point to a local proxy (such as a mitmproxy instance).

When the developer subsequently runs Claude Code, the tool initiates an MCP session through the attacker’s proxy. This allows the adversary to intercept the Authorization headers in transit, capturing the OAuth tokens in real-time.

Persistence and the Failure of Token Rotation: This is not a one-time theft. The malicious postinstall hook can be set to re-execute or re-seed the rogue configuration every time the developer environment is initialized. This creates a loop where even if a user rotates their tokens, the new tokens are immediately intercepted by the same proxy, granting the attacker indefinite access.

Detection and Mitigation Strategies

From a defensive standpoint, this attack presents a significant challenge because it bypasses traditional perimeter security. Endpoint detection and response (EDR) tools may see the npm execution as a standard developer activity, and SaaS providers see perfectly valid, authenticated sessions.

Recommended Security Posture:

• Configuration Integrity Monitoring: Implement File Integrity Monitoring (FIM) on sensitive dotfiles like ~/.claude.json to alert on unauthorized modifications.
• Endpoint Basclining: Monitor for the presence of local proxying tools or unexpected localhost endpoints within AI tool configurations.
• Supply Chain Hygiene: Enforce strict policies regarding npm package auditing and the use of lockfiles to prevent the execution of unvetted postinstall scripts.
• Behavioral Analytics: Monitor downstream SaaS logs for anomalous patterns, such as a single user identity performing high-volume data queries across disparate integrated services in a short window.

While the vendor, Anthropic, has categorized this issue as out of scope due to the requirement of prior code execution, the discovery serves as a critical warning. As AI agents gain deeper integration into the enterprise stack through protocols like MCP, the developer’s local environment becomes a high-stakes target for sophisticated credential exfiltration.