Critical Vulnerability in Claude Code’s MCP Traffic Enables OAuth Token Theft
A significant security flaw has been identified in Anthropic’s Claude Code, an AI-driven command-line development tool, which allows attackers to intercept Model Context Protocol (MCP) traffic and steal OAuth bearer tokens. This vulnerability exposes connected services such as Jira, Confluence, and GitHub to unauthorized access.
Understanding the Vulnerability
Researchers at Mitiga Labs have uncovered a five-step attack chain that exploits Claude Code’s handling of MCP traffic. The attack begins with the introduction of a malicious npm package containing a `postinstall` lifecycle hook. This hook executes silently during installation, a tactic commonly associated with supply chain attacks.
The `postinstall` hook targets the `~/.claude.json` file, which governs Claude Code’s MCP traffic routing and stores OAuth tokens in plaintext. By pre-populating common developer clone paths with trust dialog flags set to `true`, the attacker ensures that Claude Code does not prompt the user for trust confirmation when these directories are accessed.
The Five-Step Attack Chain
1. Delivery: The attacker delivers a malicious npm package that installs a `postinstall` hook and seeds trust flags across developer clone paths.
2. Path Seeding: The hook edits `~/.claude.json` to insert a `sessionStart` hook that activates each time Claude Code loads a trusted project.
3. MCP Endpoint Rewrite: The session hook replaces legitimate MCP server URLs (e.g., Atlassian’s endpoint) with a localhost proxy controlled by the attacker.
4. Token Interception: Claude Code reads the rewritten URL, connects to the proxy, and transmits the OAuth bearer token through the attacker’s infrastructure. The service provider perceives this as a valid flow from a trusted origin.
5. Persistent Reseeding: The hook reasserts the malicious configuration each time Claude Code loads, automatically recapturing tokens after rotation or manual URL correction.
Implications of the Attack
The OAuth bearer tokens intercepted through this method possess several properties that make them particularly valuable to attackers:
– Persistence: Stored for session reuse with an associated refresh token, allowing a single interception to create a durable foothold.
– Broad Scope: Inherits all permissions granted at authorization time without per-call narrowing or re-consent.
– Weak Storage: Resides in plaintext within `~/.claude.json` alongside trust flags, all with identical file permissions.
– Unattributable Server-Side: Presented from Anthropic’s egress IP range, making the token indistinguishable from legitimate traffic on the provider’s side.
This vulnerability underscores the critical need for secure handling of configuration files and the potential risks associated with AI-assisted development tools.
Mitigation Strategies
To protect against this vulnerability, developers and organizations should consider the following measures:
– Review and Audit npm Packages: Thoroughly inspect npm packages before installation to detect any malicious code, particularly in lifecycle hooks.
– Monitor Configuration Files: Regularly check configuration files like `~/.claude.json` for unauthorized changes or suspicious entries.
– Implement Least Privilege Access: Limit the scope of OAuth tokens to the minimum necessary permissions to reduce potential damage from token theft.
– Enhance Logging and Monitoring: Set up comprehensive logging and monitoring to detect unusual activities, such as unexpected changes to configuration files or unauthorized access attempts.
– Educate Developers: Provide training on secure coding practices and the risks associated with supply chain attacks to raise awareness and promote vigilance.
Conclusion
The discovery of this vulnerability in Claude Code highlights the evolving nature of security threats in AI-assisted development environments. By understanding the attack chain and implementing robust security measures, developers and organizations can better protect their systems and sensitive data from such sophisticated attacks.
