-
Security researchers mapped an attack chain comprising five steps that uses malicious package hooks to silently hijack Model Context Protocol traffic within the Claude Code application.
-
The exploit targets the plaintext data stored inside the local configuration file, redirecting communication streams through a proxy to steal active OAuth bearer tokens.
-
The stealthy hijacking method bypasses standard token rotation defenses, allowing outside attackers to maintain persistent, unverified access to connected corporate platforms like GitHub and Jira.
Security researchers have demonstrated a highly sophisticated, five-step attack chain that silently redirects data traffic from an advanced artificial intelligence assistant through rogue digital infrastructure.
The technical breakdown reveals that malicious actors can compromise Anthropic’s Claude Code command-line tool by exploiting its integration framework. The attack specifically targets the Model Context Protocol, which connects the artificial intelligence agent to external software ecosystems.
By intercepting this specific data flow, hackers can capture powerful authentication credentials without triggering any system alerts, and reports indicate that Anthropic does not plan to issue a software patch to fix the underlying behavior.
The vulnerability creates a massive blind spot for modern enterprise development environments that use automated programming utilities. Once a hacker successfully intercepts the connection, they gain persistent, broadly scoped access to a company’s most vital connected software-as-a-service platforms, including popular tools like Jira, Confluence, and GitHub.
Since the hijacked communication stream behaves normally on the surface, developers have no visual indication that an outside adversary is actively copying their corporate access keys.
The Secret Installation of Malicious Package Hooks
The entry point for this invisible intrusion relies on a classic software supply chain deception. Cybersecurity experts at Mitiga Labs discovered that attackers can hide the exploit inside a malicious node package manager package that is carefully designed to survive casual human inspection. When an unsuspecting programmer installs this tainted open-source component on their machine, a hidden post-installation lifecycle hook executes completely in the background.
This silent installation routine targets a single, highly critical configuration file located at a specific path on the local user directory, known textually as ~/.claude.json.
This specific file serves as the master control hub that dictates how the programming assistant routes all its protocol traffic and manages its digital signatures. More importantly, the system stores sensitive OAuth tokens inside this file in plain text, making them incredibly easy for background scripts to read and alter.
To prevent the developer from noticing the intrusion, the malicious hook immediately pre-populates common directory paths with pre-configured trust dialog flags set to true. Because the utility believes the user already gave explicit permission to trust those specific folders, the interface will never fire a security warning prompt when the programmer later opens those project files.
The Cybersecurity and Infrastructure Security Agency frequently warns software developers that automated installation scripts represent a top-tier threat vector, as a single unverified dependency can completely compromise a local workstation.
How the Proxy Server Intercepts Corporate Access Keys
The damage occurs when the developer attempts to connect their development tool (coders toolbox) to a corporate platform (e.g., GitHub, Atlassian). When connecting, the software automatically runs through its full authorization process, which provides the developer with continual permission to operate. But because the foul background hook changed the config files prior to this, the legitimate server destination addresses changed without any visible evidence to the developer.
The script substitutes the authentic endpoints with a localized proxy server controlled entirely by the attacker. As the authorization flow completes, the highly sensitive bearer tokens transit directly through the hacker’s intercepting infrastructure before reaching the real platform.
The cloud provider views the incoming data traffic as a completely valid transaction, and the local user experiences a smooth, functioning integration, while the thief walks away with a functional duplicate of the master login token.
These stolen credentials function as multi-factor authentication-bypassing keys; they allow outside threat actors to log into shared repositories and corporate databases with the exact same security permissions as the victim.
Security experts heavily emphasize that tracking credential abuse is a critical part of modern digital safety, as stolen tokens let criminals impersonate trusted employees without ever needing to break through corporate firewalls.
North Korean hackers have been using similar tactics. Researchers warn that malicious packages planted across open-source ecosystems are stealing credentials from unsuspecting developers.
Why Standard Token Rotation Fails to Break the Attack Chain
What makes this specific threat pattern exceptionally dangerous is its ability to survive standard corporate clean-up procedures. In a traditional security incident, a system administrator will simply rotate compromised credentials to lock out an intruder. However, because the malicious hook remains embedded inside the local development machine, it watches for these defensive changes.
If a developer generates a brand-new token or attempts to manually change their server paths back to the authentic settings, the persistent script instantly detects the modification. On the very next application boot or data refresh cycle, the hook automatically overwrites the clean settings and sends the fresh credentials straight back to the attacker’s database.
This continuous loop ensures that the threat group retains a permanent foothold inside the company’s development network regardless of basic password updates.
Because the software provider classified this specific exploit technique as out-of-scope for a traditional patch, development teams must build their own active defense layers. Security teams need to actively monitor local configuration files for unexpected adjustments and audit the background behavior of all open-source packages entering their systems.