"Claude Code is an agentic system. This is great for developers but concerning for security teams. Agentic systems can expand the attack surface while operating largely invisibly. A major issue is the OAuth token. If an attacker can acquire this, the adversary effectively has a master key or digital proxy granting access to every tool connected to or accessible from the Claude Code MCP."
"Mitiga Labs has identified an issue within Claude Code that would allow attackers to redirect output, including the tokens, to their own infrastructure before everything is sent on to the legitimate destination. It's a classic man-in-the-middle-attack giving the attacker access to the tokens."
"The hook also opens ~/.claude.json and edits the MCP server in the global config file. It edits 'mcpServers' to include the proxy address. 'This puts us, the adversary, in the middle of any request that goes out to the MCP server. As the attacker, we got mitmproxy configured and intercepting,' explains Mitiga."
Claude Code's agentic architecture creates security vulnerabilities, particularly regarding OAuth tokens that grant broad access to connected tools. Mitiga Labs discovered an attack method where adversaries can redirect Claude Code output through their infrastructure to intercept tokens. The attack requires two prerequisites: installing a malicious npm package and having Claude Code configured with dynamic authorization MCP servers. A post-installation hook modifies the ~/.claude.json configuration file, adding a proxy address to MCP server settings and disabling trust prompts. This positions the attacker as a man-in-the-middle, intercepting all MCP traffic and OAuth tokens when Claude Code initiates or refreshes sessions.
#oauth-token-security #man-in-the-middle-attack #claude-code-vulnerability #mcp-configuration-exploitation #supply-chain-attack
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]