Hackers hijack OAuth tokens via Claude Code MCP traffic in new MitM attack

Claude Code OAuth Token Hijacking Attack: How Hackers Exploit MCP Traffic to Steal OAuth Tokens

A new attack chain targeting Anthropic’s Claude Code ecosystem has been uncovered by Mitiga, showing how hackers exploit Model Context Protocol (MCP) traffic to hijack OAuth authentication tokens. The Claude Code OAuth token hijacking attack uses a man-in-the-middle (MitM) approach on MCP to steal tokens from insecure local configuration files (~/.claude.json). For any enterprise SaaS relying on Claude Code, this is not abstract: hijacked tokens mean persistent, unauthorized access to cloud environments. This post explains the technical mechanics of the attack, why OAuth token theft is so dangerous, and lays out actionable steps for developers and security leads to lock down their environments now.

What is the Claude Code OAuth token hijacking attack?

The Claude Code OAuth token hijacking attack is a targeted man-in-the-middle exploit aimed at Anthropic’s Claude Code developer ecosystem. Attackers intercept MCP traffic—the internal protocol Claude Code uses to manage context for code-assist sessions—and capture sensitive OAuth authentication tokens exchanged between the Claude tool and connected enterprise SaaS services. The weak spot: tokens are stored locally in a plain configuration file (~/.claude.json) with minimal protection. By abusing this design, adversaries capture, replay, and persist tokens, granting themselves stealthy, ongoing access to business-critical SaaS platforms even after standard session timeouts.