{"id":220743,"date":"2026-05-27T03:25:07","date_gmt":"2026-05-27T07:25:07","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/27\/claude-code-oauth-tokens-can-be-stolen-through-stealthy-mcp-hijacking\/"},"modified":"2026-05-27T03:25:10","modified_gmt":"2026-05-27T07:25:10","slug":"claude-code-oauth-tokens-can-be-stolen-through-stealthy-mcp-hijacking","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/05\/27\/claude-code-oauth-tokens-can-be-stolen-through-stealthy-mcp-hijacking\/","title":{"rendered":"Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP Hijacking"},"content":{"rendered":"<p><a href=\"https:\/\/www.securityweek.com\/claude-code-oauth-tokens-can-be-stolen-through-stealthy-mcp-hijacking\/\">Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP Hijacking<\/a><\/p>\n<p><a href=\"https:\/\/www.securityweek.com\/claude-code-oauth-tokens-can-be-stolen-through-stealthy-mcp-hijacking\/\">https:\/\/www.securityweek.com\/claude-code-oauth-tokens-can-be-stolen-through-stealthy-mcp-hijacking\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-05-07 10:33:06<\/a><\/p>\n<p>Source Domain: <a href=\"www.securityweek.com\">www.securityweek.com<\/a><\/p>\n<h3>OAuth token theft vulnerability in Claude Code<\/h3>\n<p>Mitiga Labs has exposed a critical vulnerability in the Claude Code agentic system, highlighting the risk of unauthorized OAuth token access. An attacker can execute a stealthy man-in-the-middle attack, enabling them to intercept and redirect output, including OAuth tokens, into their own infrastructure. This occurs if the attacker installs a crafted npm package that hooks into the system&#8217;s lifecycle events, thus modifying the main configuration file, ~\/.claude.json, in order to redirect MCP server traffic through the attacker&#8217;s own server. The consequences include seamless theft of OAuth tokens as the tokens are stored in plain text, which can then be used to bypass MFA and access any integrated tool with the same permissions as the legitimate user. Mitiga Labs emphasizes that users must actively monitor their system activities to detect any unauthorized changes and warns that relying on a future solution from Anthropic is not advisable, given the company\u2019s reluctance to address the disclosed issues.<\/p>\n<h3>Key Points:<\/h3>\n<ul>\n<li><strong>OAuth Token Theft<\/strong>: &#8211; The generated text has been blocked by our content filters.<\/li>\n<\/ul>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP Hijacking https:\/\/www.securityweek.com\/claude-code-oauth-tokens-can-be-stolen-through-stealthy-mcp-hijacking\/ Publish Date: 2026-05-07&#8230;<\/p>\n","protected":false},"author":1,"featured_media":220744,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.securityweek.com\/wp-content\/uploads\/2025\/11\/Claude-AI.jpeg","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[27],"class_list":["post-220743","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-vulnerability"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/220743"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=220743"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/220743\/revisions"}],"predecessor-version":[{"id":220745,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/220743\/revisions\/220745"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/220744"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=220743"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=220743"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=220743"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}