Hackers Can Hijack Claude Code MCP Traffic to Steal OAuth Tokens

Mitiga Labs demonstrated a five-step supply-chain attack in which a malicious npm postinstall hook seeds trust flags and injects a sessionStart hook into ~/.claude.json so Claude Code rewrites MCP server URLs to a local attacker proxy; when users complete OAuth flows the attacker captures persistent, broadly-scoped bearer and refresh tokens (stored in plaintext) that grant access to SaaS platforms like Jira, Confluence, and GitHub. The tokens appear to originate from Anthropic’s egress IPs—making them unattributable to the attacker on provider-side logs—and Anthropic declined to patch the issue, so defenders must immediately monitor ~/.claude.json for unauthorized edits, audit npm lifecycle scripts, remove the malicious hook before rotating credentials, and review SaaS logs for anomalous activity.