What researchers discovered
Final week, researchers at Mitiga Labs printed an assault chain that ought to concern each safety staff whose builders use Claude Code. The assault begins with a malicious npm bundle — one thing that appears like a reliable utility or wrapper. Hidden inside is a post-install hook that runs silently throughout set up. That hook rewrites a single file: ~/.claude.json.
That file is the management level for a way Claude Code routes MCP visitors. Change it, and you may level Claude Code’s authenticated requests to attacker-controlled infrastructure as a substitute of the reliable service. The OAuth tokens saved in that very same file get intercepted in transit. The attacker now holds legitimate, long-lived bearer tokens for each SaaS platform the developer had linked — Jira, Confluence, GitHub, no matter was built-in.
What makes this significantly tough to detect is what the audit logs appear like on the opposite finish. The IP handle within the supplier’s logs resolves to Anthropic’s egress vary. The consumer is actual. The session is legitimate. As Mitiga put it, nothing in that log row is mistaken — however nothing in it’s proper both. The consumer didn’t run the question. An attacker did, utilizing a token that was silently redirected earlier than it ever reached its supposed vacation spot.
Mitiga reported this to Anthropic on April 10. Anthropic responded on April 12 that the difficulty was out of scope, reasoning that the assault requires prior code execution by way of a bundle set up that the consumer consented to. As of this writing, no patch exists. The assault chain is dwell.
