MCP Token Theft Shows Why AI Agent Security Needs Governance Now
A man-in-the-middle attack on Claude Code exposes how MCP OAuth tokens can be stolen and weaponized. Here is what businesses need to know.
By Springvanta
Security researchers at Mitiga published a detailed attack chain on May 12 that shows how a malicious npm package can steal OAuth tokens from Claude Code's MCP configuration. The attack is subtle. It is persistent. And for businesses building AI agent workflows, it is a wake-up call.
What happened
The attack targets ~/.claude.json, the configuration file Claude Code uses to store MCP server connections, trust flags, and OAuth tokens. Here is how it works:
-
Delivery. An attacker publishes a seemingly legitimate npm package. A postinstall hook silently prepares the attack surface.
-
Config seeding. The hook opens
~/.claude.jsonand rewrites the MCP server URL to point at an attacker-controlled proxy instead of the legitimate service. -
Trust bypass. The hook also pre-sets trust flags on common project directories. When the user later opens a project, Claude Code skips the trust prompt entirely because the flag says the project is already trusted.
-
Token capture. The next time Claude Code refreshes the MCP session, it connects to the proxy. The OAuth bearer token transits through the attacker's infrastructure. The SaaS provider sees a valid flow. The user sees a working integration. The attacker has the token.
-
Persistence. A SessionStart hook reasserts the malicious configuration every time Claude loads. Token rotation feeds the chain rather than breaking it, because the next refresh also goes through the proxy.
Why the token is the prize
MCP OAuth tokens have four properties that make them valuable:
- Persistent. Stored for reuse across sessions, with automatic refresh.
- Broadly scoped. The token inherits every scope approved at auth time. No per-call narrowing.
- Plaintext storage. The token sits in
~/.claude.jsonalongside trust flags. Same file, same permissions. - Unattributable. Because Claude Code routes traffic through Anthropic's egress IPs, requests arrive from an origin SaaS providers already trust.
A second vulnerability in the same week
On May 15, a separate bug report (GitHub issue #59493) revealed that Claude Code's built-in IDE MCP server silently transmits selected text from VS Code to the conversation context. Select a line in a .env file to verify its contents, and that line becomes part of the data sent to Anthropic. There is no setting to suppress this behavior. There is no .claudeignore equivalent.
In the reporter's own case, this caused a real API key to be transmitted, requiring credential rotation.
The broader context
The MCP ecosystem has grown fast. By mid-April 2026, public registries tracked over 9,400 distinct MCP servers, according to Digital Applied's H1 2026 retrospective. Six major host surfaces now support the protocol, including Claude, ChatGPT, and VS Code Copilot.
Anthropic has already made progress on the context side. The MCP Tool Search update, covered by VentureBeat in January, introduced lazy loading that reduced token consumption from roughly 134K to about 5K in internal testing, an 85 percent reduction. But the security model has not kept pace with the ecosystem's growth.
Anthropic classified the Mitiga report as "out of scope," noting that if an attacker already has code execution on the endpoint, many things are possible. That position is defensible in isolation. It does not account for the fact that npm supply chain attacks are routine, and that a single npm install is all this chain requires.
What this means for businesses
If your team uses Claude Code or any AI agent that connects to business systems through MCP, you need to think about governance the same way you think about API key management.
Audit your configuration. Check ~/.claude.json for MCP server URLs that point to unexpected hosts or localhost proxies. Do this regularly, not just after an incident.
Scope your tokens. When connecting an MCP server, approve only the scopes the integration actually needs. Broad scopes mean broad exposure if the token is compromised.
Monitor SaaS audit logs. The Mitiga attack is invisible to endpoint tools because the traffic looks legitimate. Watch for actions that look valid but do not match the user's normal patterns.
Establish allowlists. Define which MCP servers are approved for use in your organization. Block connections to unapproved servers at the network level if possible.
Rotate tokens after suspicion. But only after you have verified the configuration file is clean. Otherwise, rotation feeds the attack.
The bigger picture
AI agents are becoming the connective tissue between business tools. MCP is the protocol that makes those connections work. The protocol itself is sound. The ecosystem is growing fast and maturing quickly, with real architectural improvements like lazy loading already shipped.
But the security model around how agents authenticate, how tokens are stored, and how configurations are protected has not caught up with the adoption curve. The Mitiga research makes that gap concrete. The VS Code selection leak shows the gap exists at the client level too.
For businesses building AI agent workflows, the lesson is straightforward: treat agent-to-tool connections with the same governance discipline you apply to any other privileged integration. The tools are powerful. The governance needs to match.
Sources:
- Mitiga Security, "Stealing MCP Tokens in Claude Code: A Man-in-the-Middle Attack Chain via ~/.claude.json," May 12, 2026
- GitHub Issue #59493, "Selection injection from ide MCP server has no documented suppression mechanism," May 15, 2026
- GitHub Issue #50062, "Claude.ai account-level MCP connectors auto-loaded into CLI," April 17, 2026
- Digital Applied, "MCP Ecosystem H1 2026 Retrospective: Adoption Data Points," May 15, 2026
- VentureBeat, "Claude Code just got updated with one of the most-requested user features," January 15, 2026