DEV Community

Cover image for Hackers hijack OAuth tokens via Claude Code MCP traffic in new MitM attack
Dave Kurian
Dave Kurian

Posted on • Originally published at otf-kit.dev

Hackers hijack OAuth tokens via Claude Code MCP traffic in new MitM attack

#claude #cybersecurity #mcp #security

Claude Code OAuth Token Hijacking Attack: How Hackers Exploit MCP Traffic to Steal OAuth Tokens

A new attack chain targeting Anthropic’s Claude Code ecosystem has been uncovered by Mitiga, showing how hackers exploit Model Context Protocol (MCP) traffic to hijack OAuth authentication tokens. The Claude Code OAuth token hijacking attack uses a man-in-the-middle (MitM) approach on MCP to steal tokens from insecure local configuration files (~/.claude.json). For any enterprise SaaS relying on Claude Code, this is not abstract: hijacked tokens mean persistent, unauthorized access to cloud environments. This post explains the technical mechanics of the attack, why OAuth token theft is so dangerous, and lays out actionable steps for developers and security leads to lock down their environments now.

What is the Claude Code OAuth token hijacking attack?

The Claude Code OAuth token hijacking attack is a targeted man-in-the-middle exploit aimed at Anthropic’s Claude Code developer ecosystem. Attackers intercept MCP traffic—the internal protocol Claude Code uses to manage context for code-assist sessions—and capture sensitive OAuth authentication tokens exchanged between the Claude tool and connected enterprise SaaS services. The weak spot: tokens are stored locally in a plain configuration file (~/.claude.json) with minimal protection. By abusing this design, adversaries capture, replay, and persist tokens, granting themselves stealthy, ongoing access to business-critical SaaS platforms even after standard session timeouts.

Per Mitiga’s report, this attack requires a network positioning that allows traffic interception (classic MitM), but the payoff is high. Once inside, hackers are able to lift valid OAuth tokens from the MCP session data or direct config file access—and use them as if they were a legitimate system user.

Direct answer for search:

The Claude Code OAuth token hijacking attack is a MitM technique where attackers intercept Model Context Protocol traffic or access local Claude Code configuration files, stealing OAuth authentication tokens to gain persistent, unauthorized access to enterprise SaaS platforms.

How does the Model Context Protocol (MCP) vulnerability enable this attack?

Model Context Protocol (MCP) is central to Claude Code’s operations. It mediates the flow of context, code suggestions, and authentication information between the developer’s system and Anthropic’s backend, and between local tools and third-party SaaS integrations. MCP is also the protocol through which OAuth tokens and other access credentials pass—sometimes in plaintext, or with only minimal local obfuscation.

Two weak points enable exploitation:

  1. Insufficient encryption and validation across MCP traffic:

    MCP sessions can be snooped by any actor with man-in-the-middle capability on the network. Tokens transmitted in MCP packets are not always strongly encrypted or signed; in some code paths, they move as bearer tokens. That means an attacker in the right position can simply extract valid OAuth tokens from the traffic.

  2. Weak local storage in ~/.claude.json:

    Claude Code caches tokens and session state in a local file—~/.claude.json. By default, this file is not locked down with restrictive permissions, nor protected by at-rest encryption. Any malware or local attacker with code execution can read it and exfiltrate tokens. Worse, those tokens may not be immediately invalidated if stolen.

Attack flow step-by-step:

1. Attacker positions themselves on the same network or compromises a developer workstation.
2. Attacker intercepts MCP traffic sent during code-assist requests.
3. Tokens are extracted from live network packets or local ~./claude.json file.
4. Attacker replays or submits the hijacked OAuth token to the target enterprise SaaS platform.
5. Persistent access is maintained until tokens are explicitly revoked.
Enter fullscreen mode Exit fullscreen mode

Because MCP is part of the tool’s core architecture, and its traffic contains high-value session data, the blast radius of one compromised endpoint is enterprise-wide.

[[DIAGRAM: Attack flow from MCP traffic interception or local config file access to OAuth token theft and SaaS persistence.]]

Direct answer:

The Model Context Protocol (MCP) vulnerability in Claude Code allows attackers to intercept MCP traffic or scrape the unprotected local configuration file (~/.claude.json), enabling straightforward theft and reuse of OAuth authentication tokens for unauthorized SaaS access.

What are the risks of OAuth token theft for enterprise SaaS platforms?

An OAuth token is an authentication artifact that represents delegated access to sensitive SaaS APIs and resources. Stealing one means inheriting the original user’s privileges—sometimes without detection. For enterprise targets, that equates to near-total compromise.

Three critical risks arise:

  1. Persistent unauthorized access:

    Many OAuth tokens issued to developer tools have broad scopes and long lifetimes. Hijacked tokens can be used to access resources far beyond the original session window, especially if not bound to specific device fingerprints.

  2. Privilege escalation and lateral movement:

    Attacker with one token often gains the ability to access further tokens or escalate privileges, especially if the original user is an admin or has access to sensitive configuration data.

  3. Enterprise data exposure and operational disruption:

    Attackers may exfiltrate code, customer data, infrastructure secrets, or introduce malicious changes invisible to normal monitoring.

In this scenario, session expiration is not enough. As long as a token is valid and unrevoked, the attacker maintains a shadow presence.

Direct answer:

Hijacked OAuth tokens from Claude Code allow attackers persistent, privileged access to enterprise SaaS platforms, creating risks of data exfiltration, privilege escalation, and ongoing unauthorized control, with potential to disrupt operations and compromise sensitive information.

How can developers detect and prevent Claude Code OAuth token hijacking?

Preventing OAuth token hijacking in Claude Code means addressing both network- and endpoint-level exposures. Developers must audit all vectors MCP traffic and config files take through their system.

1. Monitor for anomalous MCP traffic

  • Use network intrusion detection systems (IDS) to monitor for unusual MCP traffic patterns in and out of developer workstations.
  • Establish baselines for MCP session metadata and alert on deviations or unknown destinations.

2. Harden ~/.claude.json permissions

  • Set permissions on ~/.claude.json to 0600 (owner read/write only).
  • Regularly audit local filesystem for copies or backups of the config file in unexpected locations. 
# Secure the Claude Code config on Unix-like systems
chmod 600 ~/.claude.json
Enter fullscreen mode Exit fullscreen mode

3. Encrypt sensitive token storage

  • If the tool or system supports it, store tokens using secure local keychains or at-rest encryption tools.
  • Consider using environment variables to supply short-lived tokens, avoiding persistent storage.

4. Enforce strong token revocation and re-issuance policies

  • Periodically rotate OAuth tokens and configure auto-revocation after a preset interval.
  • Register and monitor refresh activity — revoke tokens not seen to be in active use or issued to unusual locations.

5. Segment networks and enforce TLS everywhere

  • Restrict Claude Code workstation network access to trusted segments.
  • Mandate end-to-end TLS on all MCP communications; detect any plaintext traffic and investigate immediately.

6. Monitor local file and process activity

  • Use endpoint detection tools (EDR) to alert on unexpected reads of ~/.claude.json or similar config files.

If available, follow any official guidance released by Mitiga (the original researchers) and Anthropic, and subscribe to updates on remediations as the ecosystem matures. Implementations will vary, but skipping any of these surfaces means leaving a backdoor open.

Direct answer:

Detect and prevent Claude Code OAuth token hijacking by monitoring MCP traffic for anomalies, restricting and auditing local config file access (~/.claude.json), encrypting stored tokens, enforcing regular token revocation, and ensuring end-to-end network security.

[[COMPARE: insecure default Claude Code config vs secured/monitored deployment]]

How to use Claude Code securely today to protect OAuth tokens

Securing Claude Code against this attack means making a few non-negotiables part of every deployment and developer workflow. Here’s how to apply best practices right now:

1. Lock down ~/.claude.json:

  • Set strict file permissions immediately: 
  chmod 600 ~/.claude.json
Enter fullscreen mode Exit fullscreen mode
  • Regularly verify using: 
  ls -l ~/.claude.json
  # Should output: -rw------- ...
Enter fullscreen mode Exit fullscreen mode
  • Store files only in the user’s home directory on encrypted disks where possible. Avoid cross-sharing config files through version control or messaging tools.

2. Audit for exposed tokens in the environment:

  • Use simple scripts or open-source tools to scan the home directory for cached tokens: 
  grep -rnw ~/.claude.json -e 'token'
Enter fullscreen mode Exit fullscreen mode
  • Schedule regular scans in CI or via EDR solutions to spot accidental leaks.

3. Rotate and revoke tokens tightly:

  • Set up automated or policy-driven OAuth token rotation via your SaaS provider.
  • Add revocation logic to deployment scripts — expiration isn’t enough.

4. Require network TLS for every Claude Code integration:

  • Check the MCP connection configuration to ensure no plaintext endpoints: 
  # Only allow  not http:// in Claude settings
  grep 'endpoint' ~/.claude.json
Enter fullscreen mode Exit fullscreen mode

5. Isolate Claude Code execution environments:

  • Prefer running Claude Code and similar tools inside sandboxed containers (e.g., with Docker), minimizing lateral file access and process scope.
  • Limit network access using local firewall rules—allow only whitelisted SaaS endpoints.

6. Train and enforce security workflows:

  • Add chmod 600 ~/.claude.json as a pre-flight or onboarding task for every developer.
  • Incorporate local config audits and token rotation checks into engineering checklists.

Direct answer:

To use Claude Code securely and protect OAuth tokens now, developers should restrict permissions on ~/.claude.json, encrypt token storage, monitor and rotate tokens, enforce TLS on all connections, and run regular environment audits to minimize token exposure.

Takeaway — persistent SaaS compromise is one attack away

The Claude Code OAuth token hijacking attack is more than a theoretical vector—it's a persistent, hard-to-detect compromise made possible by weak local protections and unencrypted MCP traffic. Any enterprise relying on Claude Code must treat OAuth token security as a first-class priority. Act now: lock down your config files, scrutinize every network packet, audit token stores, and rehearse revocation workflows. The tools for secure configuration exist; the only missing ingredient is vigilance.

When model and tooling turnover is constant, protecting the durable links in your stack—authentication, configuration files, real network boundaries—is what keeps your real assets safe. Don’t let a credential in a forgotten dotfile unravel your SaaS perimeter.

Top comments (0)