Claude Code is Anthropic’s AI coding assistant — a command-line tool that developers are adopting fast. It connects to external services through Model Context Protocol, the standard that lets AI tools interact with Jira, Confluence, GitHub, databases and internal APIs. When a developer connects one of those services, Claude Code runs an OAuth flow, the user approves the scopes and the tool receives a bearer token it uses for every subsequent request.That token is stored in plaintext in a configuration file on the developer’s machine. And researchers have now shown exactly how attackers are getting to it.What researchers foundLast week, researchers at Mitiga Labs published an attack chain that should concern every security team whose developers use Claude Code. The attack starts with a malicious npm package — something that looks like a legitimate utility or wrapper. Hidden inside is a post-install hook that runs silently during installation. That hook rewrites a single file: ~/.claude.json.That file is the control point for how Claude Code routes MCP traffic. Change it, and you can point Claude Code’s authenticated requests to attacker-controlled infrastructure instead of the legitimate service. The OAuth tokens stored in that same file get intercepted in transit. The attacker now holds valid, long-lived bearer tokens for every SaaS platform the developer had connected — Jira, Confluence, GitHub, whatever was integrated.What makes this particularly difficult to detect is what the audit logs look like on the other end. The IP address in the provider’s logs resolves to Anthropic’s egress range. The user is real. The session is valid. As Mitiga put it, nothing in that log row is wrong — but nothing in it is right either. The user did not run the query. An attacker did, using a token that was silently redirected before it ever reached its intended destination.Mitiga reported this to Anthropic on April 10. Anthropic responded on April 12 that the issue was out of scope, reasoning that the attack requires prior code execution through a package installation that the user consented to. As of this writing, no patch exists. The attack chain is live.This is not the first timeThe Mitiga disclosure is the most recent, but it is not the first time Claude Code’s configuration model has created a security problem.In February 2026, Check Point Research published findings on two separate vulnerabilities. The first, CVE-2025-59536, allowed remote code execution through malicious hooks planted in a repository’s settings file — code that ran before the user could even read the trust dialog. The second, CVE-2026-21852, allowed API key exfiltration by overriding a single environment variable, redirecting authenticated traffic to attacker-controlled infrastructure before any consent prompt appeared. Simply cloning and opening an untrusted repository was enough to trigger both.Anthropic patched those vulnerabilities after Check Point’s disclosure. But the pattern they reveal — configuration files that security teams treat as passive metadata actually functioning as active execution paths — is the same pattern the Mitiga attack exploits. The mechanism keeps working because the underlying architecture creates it.Why security teams need to pay attentionIf you have read about adversary-in-the-middle phishing, this should feel familiar. AiTM attacks do not steal credentials directly — they sit between the user and the legitimate service, wait for authentication to succeed and walk away with the session token that proves it happened. The Mitiga attack on Claude Code works the same way. The OAuth flow completes legitimately. The user approved the scopes. The token is valid. The attacker just inserted themselves into the routing layer before the token reached its intended destination.The difference is that AiTM attacks target browser sessions. This targets developer tooling — and developer tooling sits closer to your source code, your internal APIs, your cloud infrastructure and your production systems than most browser sessions ever do.Claude Code adoption is accelerating. Developers install it because it genuinely improves their workflow. They connect it to the tools they use every day. Most of them are not thinking about what the post-install scripts in their npm dependencies are doing to their local configuration files. That is not a failure of awareness — it is an unreasonable expectation. The security team needs to be thinking about it instead.Three controls that help right nowMonitor ~/.claude.json for unexpected changes. This file is the pivot point in the Mitiga attack. Changes to MCP server endpoints in that file — particularly additions of new localhost proxy addresses or unfamiliar external endpoints — should trigger an alert. Most organizations have no monitoring on user-level configuration files in developer environments. That needs to change. Mitiga specifically recommends tracking changes to Claude Code configuration, MCP server URLs and OAuth refresh behavior as the primary detection layer.Treat npm post-install hooks as a first-class security concern. The Mitiga attack begins with a malicious npm package. Post-install hooks that execute arbitrary code at install time are a known supply chain risk class — but enforcement in developer environments is inconsistent. Audit what runs during package installation in your development pipelines. Consider requiring review of packages that include post-install scripts before they reach developer machines. This is not a Claude Code-specific recommendation; it applies to every tool in your development stack. Claude Code just made the consequences of getting it wrong much more tangible.Audit OAuth tokens connected to Claude Code integrations and rotate them. Developers who connect Claude Code to Jira, Confluence, GitHub or any other SaaS platform create OAuth tokens that persist across sessions. If those tokens were active during a period when a malicious package was installed, they should be treated as potentially compromised. Rotate them. Review the audit logs on the provider side for the activity patterns Mitiga describes — valid-looking requests from Anthropic’s egress IPs that the developer did not initiate. Note that token rotation alone does not break the chain if the malicious hook is still present — the hook will reseed the configuration and capture new tokens on the next refresh. Remediation requires removing the hook and cleaning the configuration first.An honest assessmentAnthropic’s response to the Mitiga disclosure — that the attack is out of scope because the user consented to installing the package — follows a logic that security practitioners will recognize and most will reject. Consent to install a package is not consent to have that package rewrite your AI tool’s routing configuration and intercept your SaaS credentials. The two things are not the same and treating them as equivalent places the entire burden of supply chain security on the developer, making a split-second judgment about a dependency name.That is not a reasonable security model.The patched Check Point vulnerabilities show that Anthropic is responsive when the issue is framed correctly. The Mitiga research is a week old. Whether a patch follows is an open question, but the attack chain works today regardless of how that question resolves.Your developers are using Claude Code. The question for security teams is not whether to engage with this risk but how quickly you can implement detection and response that accounts for it. The configuration file is small, the monitoring requirement is specific, and the attack chain is documented. Starting there is better than waiting for a vendor patch that may not come.This article is published as part of the Foundry Expert Contributor Network.Want to join?