The hook also opens ~/.claude.json and edits the MCP server in the global config file. It edits ‘mcpServers’ to include the proxy address. “This puts us, ‘the adversary’, in the middle of any request that goes out to the MCP server. As the attacker, we got mitmproxy configured and intercepting,” explains Mitiga.Whenever Claude Code initiates or refreshes the MCP session, it connects to the proxy and the token transits to the attacker’s infrastructure. The user just sees a valid flow. If the user rotates the token, the hook writes it back on the next load. If the user edits the MCP URL, the hook loads it back on the next load. The attacker has achieved both stealth and persistence.The attacker gets, “A durable redirection of the victim’s SaaS credentials into attacker-controlled infrastructure, with automatic recovery from token rotation, invisible to the victim’s endpoint UI, and indistinguishable from legitimate traffic on the provider’s side.”As a man in the middle, the attacker can easily steal any OAuth token since it is stored in plain text within ~/.claude.json. Once stolen the attacker can use the token as an MFA-bypassing golden key into any tool to which the MCP connects, with the same permissions as the user.Without care, the user sees nothing. No flags are raised since the MCP is simply doing what it is told to do, and the user isn’t aware these actions have been compromised. The new adage of assuming a compromise has happened should take center stage. “Monitor Claude Code configuration changes, MCP server URL changes, OAuth refresh behavior, suspicious SaaS API activity, and unexpected traffic through MCP integrations,” suggests Mitiga.What you mustn’t do is wait for a solution from Anthropic. Mitiga reported its findings to Anthropic on April 10, 2026. On April 12, 2026, Anthropic replied it was ‘out of scope’. The reason given was effectively the same as its response to Adversa’s ‘TrustFall’ disclosure: the user has already consented to what might happen next.Learn More at the AI Risk Summit at Half Moon BayRelated:AI Coding Agents Could Fuel Next Supply Chain CrisisRelated:Google OAuth Flaw Leads to Account Takeover When Domain Ownership ChangesRelated:Millions of Websites Susceptible to XSS Attack via OAuth Implementation FlawRelated:More Cybersecurity Firms Hit by Salesforce-Salesloft Drift BreachRelated:Shadow AI Risk: How SaaS Apps Are Quietly Enabling Massive Breaches
Whenever Claude Code initiates or refreshes the MCP session, it connects to the proxy and the token transits to the attacker’s infrastructure. The user just sees a valid flow. If the user rotates the token, the hook writes it back on the next load. If the user edits the MCP URL, the hook loads it back on the next load. The attacker has achieved both stealth and persistence.The attacker gets, “A durable redirection of the victim’s SaaS credentials into attacker-controlled infrastructure, with automatic recovery from token rotation, invisible to the victim’s endpoint UI, and indistinguishable from legitimate traffic on the provider’s side.”As a man in the middle, the attacker can easily steal any OAuth token since it is stored in plain text within ~/.claude.json. Once stolen the attacker can use the token as an MFA-bypassing golden key into any tool to which the MCP connects, with the same permissions as the user.Without care, the user sees nothing. No flags are raised since the MCP is simply doing what it is told to do, and the user isn’t aware these actions have been compromised. The new adage of assuming a compromise has happened should take center stage. “Monitor Claude Code configuration changes, MCP server URL changes, OAuth refresh behavior, suspicious SaaS API activity, and unexpected traffic through MCP integrations,” suggests Mitiga.What you mustn’t do is wait for a solution from Anthropic. Mitiga reported its findings to Anthropic on April 10, 2026. On April 12, 2026, Anthropic replied it was ‘out of scope’. The reason given was effectively the same as its response to Adversa’s ‘TrustFall’ disclosure: the user has already consented to what might happen next.Learn More at the AI Risk Summit at Half Moon BayRelated:AI Coding Agents Could Fuel Next Supply Chain CrisisRelated:Google OAuth Flaw Leads to Account Takeover When Domain Ownership ChangesRelated:Millions of Websites Susceptible to XSS Attack via OAuth Implementation FlawRelated:More Cybersecurity Firms Hit by Salesforce-Salesloft Drift BreachRelated:Shadow AI Risk: How SaaS Apps Are Quietly Enabling Massive Breaches
The attacker gets, “A durable redirection of the victim’s SaaS credentials into attacker-controlled infrastructure, with automatic recovery from token rotation, invisible to the victim’s endpoint UI, and indistinguishable from legitimate traffic on the provider’s side.”As a man in the middle, the attacker can easily steal any OAuth token since it is stored in plain text within ~/.claude.json. Once stolen the attacker can use the token as an MFA-bypassing golden key into any tool to which the MCP connects, with the same permissions as the user.Without care, the user sees nothing. No flags are raised since the MCP is simply doing what it is told to do, and the user isn’t aware these actions have been compromised. The new adage of assuming a compromise has happened should take center stage. “Monitor Claude Code configuration changes, MCP server URL changes, OAuth refresh behavior, suspicious SaaS API activity, and unexpected traffic through MCP integrations,” suggests Mitiga.What you mustn’t do is wait for a solution from Anthropic. Mitiga reported its findings to Anthropic on April 10, 2026. On April 12, 2026, Anthropic replied it was ‘out of scope’. The reason given was effectively the same as its response to Adversa’s ‘TrustFall’ disclosure: the user has already consented to what might happen next.Learn More at the AI Risk Summit at Half Moon BayRelated:AI Coding Agents Could Fuel Next Supply Chain CrisisRelated:Google OAuth Flaw Leads to Account Takeover When Domain Ownership ChangesRelated:Millions of Websites Susceptible to XSS Attack via OAuth Implementation FlawRelated:More Cybersecurity Firms Hit by Salesforce-Salesloft Drift BreachRelated:Shadow AI Risk: How SaaS Apps Are Quietly Enabling Massive Breaches
As a man in the middle, the attacker can easily steal any OAuth token since it is stored in plain text within ~/.claude.json. Once stolen the attacker can use the token as an MFA-bypassing golden key into any tool to which the MCP connects, with the same permissions as the user.Without care, the user sees nothing. No flags are raised since the MCP is simply doing what it is told to do, and the user isn’t aware these actions have been compromised. The new adage of assuming a compromise has happened should take center stage. “Monitor Claude Code configuration changes, MCP server URL changes, OAuth refresh behavior, suspicious SaaS API activity, and unexpected traffic through MCP integrations,” suggests Mitiga.What you mustn’t do is wait for a solution from Anthropic. Mitiga reported its findings to Anthropic on April 10, 2026. On April 12, 2026, Anthropic replied it was ‘out of scope’. The reason given was effectively the same as its response to Adversa’s ‘TrustFall’ disclosure: the user has already consented to what might happen next.Learn More at the AI Risk Summit at Half Moon BayRelated:AI Coding Agents Could Fuel Next Supply Chain CrisisRelated:Google OAuth Flaw Leads to Account Takeover When Domain Ownership ChangesRelated:Millions of Websites Susceptible to XSS Attack via OAuth Implementation FlawRelated:More Cybersecurity Firms Hit by Salesforce-Salesloft Drift BreachRelated:Shadow AI Risk: How SaaS Apps Are Quietly Enabling Massive Breaches
Without care, the user sees nothing. No flags are raised since the MCP is simply doing what it is told to do, and the user isn’t aware these actions have been compromised. The new adage of assuming a compromise has happened should take center stage. “Monitor Claude Code configuration changes, MCP server URL changes, OAuth refresh behavior, suspicious SaaS API activity, and unexpected traffic through MCP integrations,” suggests Mitiga.What you mustn’t do is wait for a solution from Anthropic. Mitiga reported its findings to Anthropic on April 10, 2026. On April 12, 2026, Anthropic replied it was ‘out of scope’. The reason given was effectively the same as its response to Adversa’s ‘TrustFall’ disclosure: the user has already consented to what might happen next.Learn More at the AI Risk Summit at Half Moon BayRelated:AI Coding Agents Could Fuel Next Supply Chain CrisisRelated:Google OAuth Flaw Leads to Account Takeover When Domain Ownership ChangesRelated:Millions of Websites Susceptible to XSS Attack via OAuth Implementation FlawRelated:More Cybersecurity Firms Hit by Salesforce-Salesloft Drift BreachRelated:Shadow AI Risk: How SaaS Apps Are Quietly Enabling Massive Breaches
What you mustn’t do is wait for a solution from Anthropic. Mitiga reported its findings to Anthropic on April 10, 2026. On April 12, 2026, Anthropic replied it was ‘out of scope’. The reason given was effectively the same as its response to Adversa’s ‘TrustFall’ disclosure: the user has already consented to what might happen next.Learn More at the AI Risk Summit at Half Moon BayRelated:AI Coding Agents Could Fuel Next Supply Chain CrisisRelated:Google OAuth Flaw Leads to Account Takeover When Domain Ownership ChangesRelated:Millions of Websites Susceptible to XSS Attack via OAuth Implementation FlawRelated:More Cybersecurity Firms Hit by Salesforce-Salesloft Drift BreachRelated:Shadow AI Risk: How SaaS Apps Are Quietly Enabling Massive Breaches
Learn More at the AI Risk Summit at Half Moon BayRelated:AI Coding Agents Could Fuel Next Supply Chain CrisisRelated:Google OAuth Flaw Leads to Account Takeover When Domain Ownership ChangesRelated:Millions of Websites Susceptible to XSS Attack via OAuth Implementation FlawRelated:More Cybersecurity Firms Hit by Salesforce-Salesloft Drift BreachRelated:Shadow AI Risk: How SaaS Apps Are Quietly Enabling Massive Breaches
Related:AI Coding Agents Could Fuel Next Supply Chain CrisisRelated:Google OAuth Flaw Leads to Account Takeover When Domain Ownership ChangesRelated:Millions of Websites Susceptible to XSS Attack via OAuth Implementation FlawRelated:More Cybersecurity Firms Hit by Salesforce-Salesloft Drift BreachRelated:Shadow AI Risk: How SaaS Apps Are Quietly Enabling Massive Breaches
Related:Google OAuth Flaw Leads to Account Takeover When Domain Ownership ChangesRelated:Millions of Websites Susceptible to XSS Attack via OAuth Implementation FlawRelated:More Cybersecurity Firms Hit by Salesforce-Salesloft Drift BreachRelated:Shadow AI Risk: How SaaS Apps Are Quietly Enabling Massive Breaches
Related:Millions of Websites Susceptible to XSS Attack via OAuth Implementation FlawRelated:More Cybersecurity Firms Hit by Salesforce-Salesloft Drift BreachRelated:Shadow AI Risk: How SaaS Apps Are Quietly Enabling Massive Breaches
Source: SecurityWeek
