SecurityWeek: Claude Code vulnerability could let attackers intercept OAuth tokens

Claude Code is an agentic coding tool — not just autocomplete, but software that can use tools, call services, and act across a project. That power is the whole appeal. It is also the problem. On May 7, SecurityWeek detailed Mitiga Labs research showing that an attacker who can tamper with a developer machine can quietly reroute Claude Code’s MCP traffic, intercept OAuth tokens, and keep access to connected SaaS systems. (anthropic.com) ### What is MCP here? MCP — Model Context Protocol — is the plumbing that lets an AI client talk to outside tools and data sources through MCP servers. Anthropic introduced it as an open standard for connecting assistants to systems like GitHub, Google Drive, Slack, and databases. In plain English, it is the bridge between the model and the real-world services the model can use. (anthropic.com) ### Why are OAuth tokens the real prize? OAuth tokens are what let those connected services trust the agent without asking for a password every time. If the token has broad scope, stealing it is basically like stealing a signed permission slip that works across the toolchain. SecurityWeek’s write-up frames the token as the dangerous part for exactly that reason(anthropic.com)e. (securityweek.com) ### So what did Mitiga say the attacker does? The attack is not “ask Claude nicely and it leaks secrets.” It is lower-level than that. Mitiga’s path starts with the attacker getting code onto a machine where Claude Code is already configured with dynamically authorized MCP servers. The reported route uses a tailo(securityweek.com)g appears later, and then edits the global Claude config file at `~/.claude.json` to replace or augment the MCP server entry with an attacker-controlled proxy. (securityweek.com) ### Why is that stealthy? Because the user may never see a fresh prompt. SecurityWeek says the hook can set the trust dialog flag to true in advance, which means opening the directory later does not trigger the normal warning. Then the modified config quietly sends MCP requests through the attacker’s infrastructu(securityweek.com) ### Is this really a Claude Code bug? Sort of, but the bigger story is agent architecture. Claude Code is designed to execute across a toolchain, and Anthropic openly markets that breadth as a feature. MCP is also intentionally general-purpose. The catch is that any system built to act across many services create(securityweek.com)ct, but it is also about the shape of agent systems in general. (anthropic.com) ### What has to be true for the attack to work? The attacker needs a foothold on the developer machine — enough to install the malicious package and modify local state. This is not a remote internet worm. But that should not feel comforting. Developer endpoints already run package managers, local agents, IDE extensions, and build scripts with a lot of trust. If one of (anthropic.com)ssions becomes a very attractive second-stage target. (securityweek.com) ### Why does this matter beyond one token? Because Claude Code is meant to operate across many systems in one session. Anthropic’s own product pages emphasize codebase access, CLI use, CI workflows, and external tools. In that setup, a single intercepted token can be the first domino — repo access, CI access, iss(securityweek.com)ng a best practice and starts looking like the only thing between a local compromise and a much bigger incident. (anthropic.com) ### Bottom line? The useful mental model is not “Claude Code got hacked.” It is “agent bridges turn local trust mistakes into cross-system access.” This report makes that concrete. If your coding agent can touch everything, its tokens matter like production credentials. (securityweek.com)