Attackers Hijack Claude Code Traffic to Steal OAuth Tokens via Malicious npm Package
A sophisticated attack chain exploits a malicious npm package to hijack traffic from Anthropic's Claude Code, stealing valuable OAuth tokens and granting attackers persistent access to SaaS platforms.
Researchers at Mitiga Labs have uncovered a novel five-step attack chain targeting Anthropic's Claude Code, a powerful AI coding assistant. The exploit leverages a malicious npm package, designed to evade casual inspection, which installs a post-install lifecycle hook. This hook silently executes during package installation, a common vector in supply chain attacks, but with significant new implications in the context of AI agents.
The primary target of this malicious hook is the ~/.claude.json configuration file. This file stores Claude Code's Model Context Protocol (MCP) traffic routing information and, critically, OAuth bearer tokens in plaintext. The attack chain begins with the malicious package seeding trust dialog flags within common developer clone paths. This manipulation ensures that when Claude Code subsequently opens these directories, it bypasses user prompts, effectively pre-approving trust for these locations.
Once the malicious configuration is in place, the attack proceeds to intercept OAuth bearer tokens. When a developer connects Claude Code to an MCP server, such as those for Atlassian or GitHub, the tool initiates a standard OAuth flow. However, due to the compromised configuration, the resulting bearer token is rerouted through attacker-controlled infrastructure. This token possesses several characteristics that make it highly valuable: it is persistent, broadly scoped with all granted permissions, weakly stored in plaintext, and appears legitimate from the provider's server-side perspective, originating from Anthropic's egress IP range.
The attack chain is designed for persistence. A session hook within the modified ~/.claude.json file is triggered every time Claude Code loads a trusted project. This hook replaces legitimate MCP server URLs with a localhost proxy controlled by the attacker. Consequently, when Claude Code attempts to connect to services like Jira or GitHub, it directs traffic to the attacker's proxy, where the OAuth bearer token is intercepted. Even if the token is rotated or the user attempts to correct the URL, the hook reasserts the malicious configuration on the next session load, ensuring continuous access for the attacker.
Compounding the issue, Anthropic has stated that this vulnerability is considered "out of scope," placing the entire burden of detection and remediation on enterprise security teams. This stance is based on the argument that the attack requires prior user consent via the initial installation of the malicious npm package. As a result, no patch is planned by Anthropic, leaving organizations to proactively defend against this sophisticated threat.
Defenders are urged to implement immediate controls. This includes vigilant monitoring of the ~/.claude.json file for unauthorized modifications, treating npm post-install hooks as a significant supply chain risk, and auditing OAuth tokens connected to Claude Code integrations. Reviewing SaaS audit logs for anomalous activity, particularly requests originating from Anthropic egress IPs that do not align with known user patterns, is also crucial. Organizations should also verify that all mcpServers URLs in their ~/.claude.json files are legitimate and self-configured endpoints.
The implications of this attack are far-reaching, particularly as AI agents become more integrated into development workflows. The ability for attackers to silently gain persistent access to critical SaaS platforms like Jira and GitHub, by exploiting the trust placed in AI coding assistants and the inherent risks of the software supply chain, highlights a growing threat landscape. The lack of a vendor-provided patch underscores the need for enhanced endpoint security monitoring and a robust incident response strategy for AI-related tooling.