A five-step attack chain that silently redirects Claude Code’s Model Context Protocol (MCP) traffic through attacker-controlled infrastructure, intercepting OAuth bearer tokens that grant persistent, broadly scoped access to connected SaaS platforms like Jira, Confluence, and GitHub with no patch incoming from Anthropic.
Researchers at Mitiga Labs have demonstrated the attack, with the entry point being a malicious npm package designed to survive casual inspection. Hidden inside is a postinstall lifecycle hook that executes silently during installation, a well-documented supply chain attack class that gains critical new consequences in AI-agentic environments.
The hook’s primary target is a single file: ~/.claude.json, the global configuration file that governs how Claude Code routes all MCP traffic and stores OAuth tokens in plaintext.
Once installed, the hook pre-populates common developer clone paths with trust dialog flags set to true. From Claude Code’s perspective, the user has already approved trust on those directories, so no prompt will fire when they are subsequently opened.
When a developer connects an MCP server such as Atlassian or GitHub, Claude Code executes a full OAuth flow.

The resulting bearer token has four properties that make it exceptionally valuable to an attacker:
~/.claude.json alongside trust flags, all with identical file permissions.The full chain requires no privilege escalation, memory corruption, or new CVE:
postinstall hook, seeds trust flags across developer clone paths.~/.claude.json to insert a sessionStart hook that fires every time Claude Code loads a trusted project.The most operationally significant finding is that the standard incident response action, rotating the OAuth token, actively feeds the attacker rather than breaking access.
Because the hook rewrites ~/.claude.json before each session, the next OAuth refresh hits the proxy and delivers a fresh token. Remediation requires removing the hook and cleaning the configuration file before rotating credentials.
Defenders reviewing provider-side logs — such as Atlassian audit entries — will see a valid username, a real session, and an IP address resolving to Anthropic’s egress range. Every field looks legitimate. The only anomaly exists in ~/.claude.json, a user-level configuration file most security teams are not monitoring.
Mitiga reported the findings to Anthropic on April 10, 2026. Anthropic acknowledged the report on April 11, then responded on April 12 that the issue was out of scope, citing the user’s prior consent as a prerequisite for the attack. No patch is planned. The determination places the full detection and response burden on enterprise security teams.
Security teams should implement the following controls immediately:
~/.claude.json for unexpected edits, particularly changes to mcpServers URLs or additions of localhost proxy addressesOrganizations running Claude Code with MCP integrations should run cat ~/.claude.json immediately and verify that every URL listed under mcpServers is a recognized, self-configured endpoint.