Security risks in Claude Code highlight vulnerabilities in SaaS AI integrations
Claude Code token theft is not just another security bug — it’s a direct line into your SaaS integrations, exploiting the same trust boundaries modern development teams rely on. As Model Context Protocol (MCP) gains adoption for AI-to-API connections in major SaaS workflows, a configuration file most developers ignore, ~/.claude.json, becomes a high-value target. Mitiga Labs’ new report draws a clear threat: MCP lets a single manipulated config deterministically route all future AI-driven API calls through an attacker’s proxy — with your OAuth bearer tokens in tow. Understanding how this happens, and what you can do about it, is now critical for any SaaS team or developer integrating with Anthropic’s Claude Code.
What is the Claude Code token theft vulnerability?
The Claude Code token theft vulnerability exploits the trusted configuration file that governs how Claude Code interacts with external SaaS APIs via Model Context Protocol. Specifically, ~/.claude.json acts as the master control for MCP routing, trusted project paths, and stored authentication — including OAuth tokens.
Claude Code relies on this local JSON file to determine which directories are trusted and how MCP servers connect to downstream APIs like Jira, GitHub, or your internal services. When this file is maliciously edited, those trust decisions and routing tables are silently altered.
Attackers aim for persistence, not sensors. The moment a trusted project path is seeded in ~/.claude.json, a developer opening the corresponding directory gets a version of Claude Code that may route all MCP traffic through attacker infrastructure. The developer’s experience is unchanged; API calls succeed via MCP, UI flow remains intact, and there’s no code-level bug or crash. But every message, token, or SaaS request can now be eavesdropped or altered in-flight.
The root cause is not a remote exploit. It’s local — targeting writable configuration files in real-world developer environments. The result: OAuth tokens granted to Claude Code for automated SaaS workflows are now exposed, often undetected, with wide potential blast radius.
How does the attack chain exploit the vulnerability?
The Claude Code token theft attack involves an attacker delivering a malicious npm package, often disguised as a common utility or tool dependency. Here’s how the chain unfolds:
1. Malicious npm post-install hooks:
The attacker publishes a package to npm containing a postinstall script. If a developer installs this package — for any reason, including as a dependency in a trusted project — the script runs automatically, manipulating local files.
2. Seeding trusted paths and rewriting configuration:
The script alters the ~/.claude.json configuration, adding specific paths as "trusted" within Claude Code. This is critical; Claude Code will later open these directories without alerting the user to config changes. The script also rewrites MCP server entries to point to attacker-controlled endpoints, smoothly inserting itself into the network flow.
3. Transparent proxying and OAuth token interception:
When the trusted project is launched in Claude Code, any MCP interaction — fetching issues from Jira, updating a GitHub repo, calling an internal API — now routes through the attacker’s infrastructure. Crucially, even OAuth token refreshes piggyback on this altered route. Anthropic’s audit logs and the SaaS provider see apparently authentic traffic, since everything still looks like it’s coming from Claude Code.
4. Stealth and persistence:
Because the attack does not exploit a runtime flaw or system vulnerability, the malicious hooks and config changes persist across sessions. If the OAuth token is rotated (expired or changed by the user), the compromised route catches the new token as well, maintaining access. As long as the MCP endpoint is not restored, every API call and token event can be silently harvested.
Mitiga Labs demonstrated the full proof-of-concept, showing how a single npm install could enable a persistent, invisible siphon for every future Claude Code session tied to that config — no privilege escalation or exotic attack chain required.
11 production screens. Auth, DB, Stripe — all wired.
The SaaS Dashboard Kit ships everything already connected. No Vercel config, no Supabase account. Live demo at saas.otf-kit.dev.
What are the security risks for SaaS providers and developers?
This vulnerability presents a new class of risk for SaaS security teams and developers relying on MCP-backed integration. The threat flows not just from code theft, but from undetectable impersonation within the very activity logs and auth pipelines meant to secure enterprise systems.
Undetectable token use and SaaS impersonation:
With a valid OAuth bearer token in hand — intercepted invisibly by the malicious MCP proxy — attackers can reissue API calls, mimic developer actions, or orchestrate lateral movements within the SaaS ecosystem. Since the activity originates from the correct OAuth flow, your provider’s audit logs record only apparently "good" traffic, associated with trusted infrastructure and legitimate developer accounts.
Session replay and persistence:
Most damaging, the stolen tokens may be long-lived and reusable across multiple sessions. Even if they expire, refresh tokens and replacement credentials are captured unless the root config compromise is remediated. A developer can rotate tokens and still lose control, creating a moving window of exposure.
Supply chain to SaaS bridge:
What makes this distinct from traditional package-manager supply chain attacks is the link from local config to SaaS API — a successful npm compromise quickly escalates from local manipulation to full external API compromise, with no privilege escalation or complex RCE. The attacker does not need root, kernel exploits, or network footholds — simply an npm install event on a machine where Claude Code is configured.
Detection gaps:
Standard SaaS anomaly detection is poorly suited. Everything from the attacker appears as authenticated agent traffic routed through known Anthropic endpoints, optionally using legitimate MCP credentials. Detection relies on rare, complex signals: config diffing, proxy destination fingerprinting, or alerting on unexpected config file changes.
The implication: modern SaaS adoption with agent/MCP integration increases lateral risk and audit invisibility — a direct inversion of the supposed security baseline.
How can developers detect and mitigate Claude Code token theft?
Mitigation depends on two categories: guarding the configuration layer (~/.claude.json) and defensively monitoring both the local project and upstream MCP activity.
1. Audit your laude.json configuration:
Regularly inspect ~/.claude.json for unexpected trusted paths, proxies, or altered MCP server addresses. Any MCP server not explicitly configured by your team should be scrutinized.
cat ~/.claude.json | jq .
# Look for:
# - Unknown paths in "trustedProjects"
# - MCP servers that point to non-canonical domainsIf you see entries that don’t match your intended setup, purge them and reset the file to a known-good state. As a hardening step, set filesystem permissions to restrict write access to this config:
chmod 600 ~/.claude.json2. Verify npm packages and supply chain hygiene:
Never install npm packages — especially global utilities or helpers — unless their provenance and source can be independently verified. Check dependencies for postinstall hooks or other scripts that could mutate local files.
Use package lockfiles and verification tools to ensure only audited packages are added:
npm audit
npm ci --ignore-scripts # disables postinstall3. Monitor for rerouted MCP traffic and audit logs:
Beyond local config, override default endpoints by explicitly setting MCP server URLs in per-project settings, not via global config. Monitor for unexpected traffic, especially connections to unknown MCP servers.
Where possible, enable external logging and anomaly alerts on MCP-based integration activity. Alert on sudden changes in project “trusted” folders or any edit to ~/.claude.json.
4. Prepare for Anthropic and ecosystem patches:
Watch for guidance and patches from Anthropic or the Claude Code community around config validation, stricter trusted folder logic, or automated MCP server integrity checking. An enforced “single source of truth” for config, possibly with cryptographic signatures or strict root-of-trust for MCP endpoint declaration, may be adopted.
For SaaS teams, design your token scopes and rotation policies so that even a persistent MCP config attack only exposes the minimal required surface. Shorten token TTLs and enforce rigorous logging at both the agent and SaaS provider layers.
Why is this vulnerability indicative of broader SaaS and API security challenges?
The Claude Code token theft vector signals a deeper pattern: as AI agents and SaaS platforms become deeply intertwined through APIs like MCP, local config surfaces are now as critical as code.
AI-to-API integrations expand the blast radius:
Modern SaaS relies on chaining together tens or hundreds of API integrations, authenticated agent automations, and bring-your-own-token workflows. One compromised config can hand attackers the keys to broad domains of SaaS estate. This attack is not an edge case but the new normal: attackers now hunt for persistent, trusted local state, not just memory bugs or network pivot points.
The discipline of secure configuration:
This is a wake-up call for configuration management. Meaningful SaaS security now requires developer teams to treat local agent configs, environment files, and token stores as integral to your security model. Token hygiene—rotation, minimization, and out-of-band verification—is essential.
Continuous monitoring and the new SaaS threat model:
The onus is shifting upstream: detection is not about packet capture or endpoint EDR but about config drift, post-install lifecycle hygiene, and the full chain from code install to API call. As MCP and similar protocols become the AI-SaaS standard, security demands continuous vigilance and a paranoid stance on automation touchpoints.
Closing: Protecting your SaaS from Claude Code token theft
Claude Code token theft targets the weakest trust boundary in the AI-SaaS pipeline: your local configuration. The combination of malicious npm packages, MCP routing manipulation, and persistent OAuth token interception means a silent breach can persist across sessions, unnoticed by SaaS providers and developers alike. It’s not a theoretical flaw — it’s a present-tense risk, as Mitiga Labs’ research shows.
Audit your local configs, lock down your token scopes, and build paranoia into your automation flow. Until the MCP stack evolves with safer trust anchors and stricter token pipelines, defense is up to you.
Stay current with vendor advisories, monitor your agent’s config, and make every API integration suspect by default. Secure configuration is now as critical as secure code.
Related: SaaS API Security Best Practices, Mitigating Supply Chain Attacks in npm Packages, Understanding OAuth Token Management in Modern SaaS
Ship the product, not the setup.
- 11 production screens — auth, billing, team, analytics, settings
- Real Postgres + Stripe + Better Auth, all wired on day 1
- CLAUDE.md pre-tuned so your agent extends instead of regenerates