ACCORDING to Anthropic, Mitiga Labs has identified a flaw in Claude Code that allows attackers to silently redirect MCP traffic and intercept OAuth tokens, giving them persistent, privileged access to connected SaaS tools. The tokens are stored in ~/.claude[.]json, and a malicious actor could modify the file to route MCP traffic through an attacker-controlled proxy, effectively performing a man-in-the-middle attack.
A stolen OAuth token can be used as a master key to access tools connected to the Claude Code MCP, with the same permissions as the legitimate user, and the attacker can recover or rotate tokens invisibly as the hook re-writes them on subsequent loads. The exploitation requires installing a tailored npm on a machine where Claude Code is configured with dynamic authorization MCP servers, with a post-installation hook that edits MCP settings and opens the file to insert a proxy.
Anthropic’s response to Mitiga’s disclosure was that the issue was out of scope, with Mitiga having reported the findings on 10 April 2026 and receiving that reply on 12 April 2026.