al-ice.ai

Claude Code MCP Token Theft — npm Package MITM

Security by al-ice.ai Editorial

AI relevance: A malicious npm package can silently redirect Claude Code's Model Context Protocol OAuth tokens to attacker-controlled infrastructure, giving long-lived access to Jira, GitHub, Confluence and any other connected SaaS — with no patch available.

The attack chain

  • Entry point: A malicious npm package with a post-install hook runs during npm install, before the developer sees any output.
  • Configuration rewrite: The hook modifies ~/.claude.json, the control file that routes Claude Code's MCP traffic. A single config change points authenticated MCP requests to attacker-controlled servers.
  • Token interception: OAuth bearer tokens stored in the same config file are sent to the attacker's infrastructure in transit. These are long-lived tokens for every connected SaaS platform — Jira, Confluence, GitHub, internal APIs.
  • Stealth: Provider-side audit logs show Anthropic's egress IP, a real user, and a valid session. As Mitiga notes: nothing in the log row is wrong, but nothing is right either — the user didn't make those queries.

Prior context

  • In February 2026, Check Point Research disclosed two Claude Code vulnerabilities: CVE-2025-59536 (RCE via repo hooks) and CVE-2026-21852 (API key exfil via environment variable override). Both triggered on cloning an untrusted repo.
  • Anthropic patched those, but the architectural pattern remains: configuration files that look like passive metadata are actually active execution paths.

Why it matters

Mitiga reported this to Anthropic on April 10. Anthropic responded on April 12 that the issue was out of scope because the attack requires prior code execution via a package the user "consented" to install. As of this writing, no patch exists and the attack chain is live. This is a structural problem — any AI coding tool that stores OAuth tokens in a writable local config file is vulnerable to the same pattern.

What to do

  • Audit npm packages installed in developer workflows, especially wrapper utilities that appear in dependency trees unexpectedly.
  • Monitor ~/.claude.json for unauthorized modifications with file integrity tooling or endpoint detection.
  • Review SaaS provider audit logs for queries originating from Anthropic egress ranges that don't match known developer activity.
  • Consider token rotation policies for OAuth-connected MCP integrations, particularly for high-privilege connections.

Sources