Attack Chain Overview
A newly disclosed attack method targets developers using Claude Code by hijacking traffic routed through the Model Context Protocol (MCP). Researchers from Mitiga Labs discovered that a malicious npm package, designed to pass casual inspection, executes a silent postinstall lifecycle hook during installation. This hook modifies the global Claude Code configuration file, seeding trust flags across common developer clone paths so that no trust prompts appear when those directories are later opened.
Once the developer connects an MCP server such as Atlassian or GitHub, the system performs a full OAuth flow. The resulting bearer token is stored in plaintext within the configuration file alongside the trust flags, with no special protections on file permissions. This makes the token highly accessible for exfiltration.
Token Characteristics and Exploit Mechanics
The intercepted OAuth tokens possess four properties that make them exceptionally valuable to attackers. They are persistent, meaning a single interception grants a durable foothold via associated refresh tokens. They are broadly scoped, inheriting all permissions granted at authorization time with no per-call narrowing or re-consent. They are weakly stored in plaintext with identical file permissions as other configuration data. And they are unattributable server-side, as they are presented from Anthropic’s egress IP range, making them indistinguishable from legitimate traffic.
The five step chain begins with delivery of the malicious package, followed by path seeding in the configuration file. The hook then inserts a sessionStart trigger that fires each time Claude Code loads a trusted project. This trigger rewrites legitimate MCP server URLs, such as Atlassian’s endpoint, to point to a localhost proxy controlled by the attacker. When Claude Code connects to this proxy, the OAuth bearer token transits through attacker controlled infrastructure, enabling theft of access to connected SaaS platforms like Jira, Confluence, and GitHub. No patch from Anthropic is currently available.
Source: Cyber Security News
