What researchers found
Last week, researchers at Mitiga Labs published an attack chain that should concern every security team whose developers use Claude Code. The attack starts with a malicious npm package — something that looks like a legitimate utility or wrapper. Hidden inside is a post-install hook that runs silently during installation. That hook rewrites a single file: ~/.claude.json.
That file is the control point for how Claude Code routes MCP traffic. Change it, and you can point Claude Code’s authenticated requests to attacker-controlled infrastructure instead of the legitimate service. The OAuth tokens stored in that same file get intercepted in transit. The attacker now holds valid, long-lived bearer tokens for every SaaS platform the developer had connected — Jira, Confluence, GitHub, whatever was integrated.
What makes this particularly difficult to detect is what the audit logs look like on the other end. The IP address in the provider’s logs resolves to Anthropic’s egress range. The user is real. The session is valid. As Mitiga put it, nothing in that log row is wrong — but nothing in it is right either. The user did not run the query. An attacker did, using a token that was silently redirected before it ever reached its intended destination.
Mitiga reported this to Anthropic on April 10. Anthropic responded on April 12 that the issue was out of scope, reasoning that the attack requires prior code execution through a package installation that the user consented to. As of this writing, no patch exists. The attack chain is live.
