Three disclosed flaws turned Claude Code’s local config and MCP integrations into silent paths for token theft and code execution. Some of the fixes are yours to make — and the lesson is far bigger than one tool.

I run almost my entire build through agentic Claude Code, wired to GitHub, Jira, and a stack of internal services over the Model Context Protocol. That makes me precisely the profile the latest research is about — and if your developers work the same way, it makes them targets too.

Over the past few months, security researchers and a German-market commentary in Computerwoche by cybersecurity engineer Anjali Gopinadhan Nair have documented something uncomfortable: the very things that make Claude Code powerful — local configuration files, MCP connectors, repository hooks, and the ability to act on your machine — are also a quiet, well-placed attack surface. The config files most teams treat as passive metadata are, in practice, active execution paths.

This is not a hit piece on Anthropic. The company patched the issues that were reported the “right” way, fast. But one live attack chain remains unpatched by design choice, and the broader pattern applies to every agentic developer tool on the market, not just this one. Here is what was found, why the category is different, and the playbook to close the gaps.

What the researchers found

Three separate strands, one shared theme.

The silent token heist (Mitiga Labs). When a developer connects Claude Code to a service like GitHub, Jira, or Confluence, the tool runs an OAuth flow, the user approves the scope, and Claude Code receives a long-lived bearer token it reuses for every later request. That token is stored in plain text in a local control file, ~/.claude.json. Mitiga Labs showed that a malicious npm package — dressed up as an ordinary utility or wrapper — can carry a hidden post-install hook that silently rewrites exactly that one file during installation. Because ~/.claude.json governs how Claude Code routes its MCP traffic, rewriting it lets an attacker reroute the tool’s authenticated requests through infrastructure they control and intercept the stored OAuth tokens in transit. The attacker walks away with valid, durable credentials for every SaaS platform the developer had connected.

The worst part is the invisibility. To the victim organization, the activity looks legitimate: the source IP traces back to Anthropic’s own egress range, the user is real, the session is valid. Nothing in the logs is wrong — and nothing is right, because the request was issued by the tool, using a token the developer had authorized for an entirely different purpose, on the basis of a trust decision that was rewritten behind their back. Mitiga reported this to Anthropic in early April 2026. Anthropic’s position, per SecurityWeek, is that it falls “out of scope,” because the attack presupposes code execution via a package the user chose to install. There is, as a result, no patch — and the chain works today.

Code execution before the prompt (Check Point Research). Back in February 2026, Check Point Research disclosed two related flaws. CVE-2025-59536 allowed remote code execution through malicious hooks planted in a repository’s configuration file — code that ran before the user ever saw a trust dialog. CVE-2026-21852 allowed API-key extraction by overwriting a single environment variable, redirecting authenticated traffic to attacker infrastructure before any consent prompt appeared. The trigger was as small as opening and cloning an untrusted repository. To Anthropic’s credit, it closed both after disclosure — proof the company is responsive when a problem is framed in terms it accepts.

The source leak that became a lure. Separately, reporting from all-about-security and others describes a packaging error that exposed unencrypted TypeScript source from Claude Code online. That leak is now being used as raw material for social-engineering campaigns: convincing fake GitHub repositories that ride the tool’s credibility to push trojans to developers who think they are cloning something legitimate. A separate flaw, SecurityWeek noted, surfaced within days of the leak — bad actors move fast when the blueprints are public.

The Complete SQLMap Toolkit: Automated SQL Injection, Burp Suite Workflows, and Advanced Exploitation Made Simple

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

The pattern: your config files are executable

Strip away the specifics and the through-line is the same in all three. A configuration file or a repository artifact that a security team would file under “settings” is actually a live execution path — a place where someone else’s instructions get to run, route, or redirect with your tool’s authority.

If you have met Adversary-in-the-Middle phishing, this will feel familiar. In AiTM, the attacker does not steal your password; they slip between you and the real service, wait for a successful login, and lift the session token that proves it. The Claude Code token chain works the same way — except AiTM targets browser sessions, and this targets a developer tool. That is not a mitigating detail. It is the aggravating one. Developer agents live closer to the source code, the internal APIs, the cloud infrastructure, and the production systems than a browser ever does. A stolen browser session is bad. A stolen, long-lived token for your source-control and ticketing systems, exfiltrated invisibly, is a different order of problem.

The Art of Software Security Assessment: Identifying and Preventing Software Vulnerabilities (Volume 1 of 2)

AmazonView Latest Price

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

The uncomfortable part

Anthropic’s “out of scope” reasoning on the Mitiga chain follows a logic security professionals will recognize and most will reject. Consenting to install a package is not consenting to that package rewriting an AI tool’s routing configuration and intercepting your SaaS credentials. Taken to its conclusion, that stance places the entire weight of supply-chain security on the individual developer — and that is not a defensible security model for a tool sitting this close to production.

The fair counterweight: the npm post-install hook is a known, industry-wide supply-chain risk class, not something Anthropic invented, and the Check Point fixes show the company moves when the framing lands. But storing long-lived tokens in plain text, in a file that doubles as the traffic router, is a design decision that turns a generic ecosystem risk into a specific, high-value one. Whether a patch for the Mitiga path ever ships is an open question. The practical answer is not to wait for it.

This is not only a Claude Code problem

It would be a mistake to read this as “Claude Code is uniquely unsafe.” The opposite is closer to the truth. Every agentic developer tool that combines local configuration, third-party integrations, and the authority to act on your machine inherits this same shape of risk — the convenience and the vulnerability are the same surface. Claude Code is in the headlines because it is popular and because serious researchers looked closely. Assume the rest of the category has comparable corners that simply have not been probed yet, and treat your whole agentic toolchain accordingly.

The playbook: what to do now

For teams running Claude Code — or any coding agent — in production:

• Patch and update first. Make sure Claude Code is current; the Check Point CVEs are fixed in recent versions. This is the cheapest win and it closes two of the three doors.
• Monitor ~/.claude.json as a detection layer. Treat unexpected changes — new localhost proxy addresses, unknown external endpoints in the MCP server list, altered OAuth-refresh behavior — as an alarm, not noise. Most organizations never watch user-level config files in dev environments. That has to change.
• Treat npm post-install hooks as elevated risk. Review what runs during package installation in your dev pipelines, and consider a standing review requirement for any package that ships post-install scripts — across all developer tools, not just this one.
• Audit and rotate integration tokens — but clean the host first. Rotate the OAuth tokens for any Claude Code integration (GitHub, Jira, Confluence, and the rest) that was active while an untrusted package may have been installed. Critical caveat from Mitiga: rotation alone does not break the chain if the malicious hook is still present — it will simply re-capture the new tokens on the next refresh. Remove the hook and clean the config, then rotate.
• Enforce least privilege on MCP. Connect each service with the narrowest scope that works, audit active permissions regularly via /permissions, and disconnect integrations you are not actively using. Every connector is a credential someone can steal.
• Sandbox and isolate sessions. Run agent sessions in constrained environments, keep production secrets out of reach of the developer workstation, and review suggested changes before approval — Anthropic’s own security guidance points the same way.
• Verify provenance before you clone. The source-leak lure works on trust; treat unfamiliar repositories, especially ones that invoke a popular tool’s name, with suspicion.

My take, as someone who lives in these tools

I am not writing this from the sidelines. My entire publishing and product portfolio is built through agentic sessions wired to exactly the integrations these attacks target. That is what makes the conclusion clear rather than abstract: the discipline that makes an agentic build resilient is the same discipline that makes it safe. Treat the agent’s configuration as production code, because it is. Assume the host is hostile. Give each connector the least power it can do its job with, watch the files that route your trust, and rotate credentials like you mean it.

The promise of these tools is that they collapse the distance between intent and shipped software. The lesson of this reckoning is that the same collapsed distance runs in both directions — toward your repositories, your tickets, your cloud, and your production keys. Build like your coding agent can be turned against you on a quiet Tuesday, and it mostly won’t be. Assume it never can, and one rewritten config file is all it takes.

Independent commentary, produced with AI assistance under human editorial oversight; the views are the author’s own and may change. This is security analysis and opinion, not professional security, legal, or financial advice, and it concerns an actively developing situation; verify specifics against vendor advisories and the primary research before acting. It describes publicly disclosed vulnerabilities at the level reported by their researchers and is intended for defensive purposes only — it contains no exploit code or attack instructions. It draws on reporting and research from Computerwoche (Anjali Gopinadhan Nair), Mitiga Labs, Check Point Research, SecurityWeek, all-about-security, and Anthropic’s own documentation, read as of June 2026. References to specific companies, researchers, and CVEs are factual and analytical, and imply no affiliation or endorsement. © 2026 Thorsten Meyer · Powered by Thorsten Meyer AI. See Imprint/Impressum and Privacy Policy.

Sources and further reading

• Computerwoche — Claude Code hat ein Sicherheitsproblem (Anjali Gopinadhan Nair)
• Mitiga Labs — Claude Code MCP token theft via MITM
• Check Point Research — RCE and API-token exfiltration through Claude Code project files
• NVD — CVE-2025-59536 · CVE-2026-21852
• SecurityWeek — Claude Code OAuth tokens can be stolen through stealthy MCP hijacking
• all-about-security — npm packaging error used for a malware campaign via GitHub
• Anthropic — Claude Code security documentation