Claude Code security risks highlight vulnerabilities in local configs and integrations

Claude Code security vulnerabilities have emerged as a new high-priority risk for developers and security teams in June 2026. When a coding agent like Claude Code is installed on a developer's machine, it hooks into sensitive workflows and accesses source code, SaaS tokens, and internal repositories. The latest disclosures from Mitiga Labs and Check Point Research highlight how a single misstep—whether through npm package installs, loose MCP integrations, or permissive repo hooks—can expose long-lived OAuth tokens and open the door to remote code execution. Treating configuration as "just settings" is now a liability, and proactive mitigation is mandatory.

What are Claude Code security vulnerabilities?

Claude Code security vulnerabilities are weak points in how the agent runs on developer machines—focusing on local configuration files (~/.claude.json), Model Context Protocol (MCP) integrations, and repository hook logic. Each represents a vector where attackers can seize tokens or trigger execution in ways that standard endpoint security fails to see.

In June 2026, reports from Mitiga Labs and Check Point Research surfaced three distinct routes:

• Malicious package installs rewriting ~/.claude.json to redirect or intercept traffic and steal tokens.
• Compromised MCP integrations re-routing authenticated agent context and exposing cloud-connected credentials.
• Exploitable repository hooks giving attackers a live path to remote code execution.

Coding agents aren't sandboxed browser tools—they're first-class processes on a machine that may touch internal APIs, production environments, and organizational secrets. The real risk: an attacker who compromises agent config or workflow isn’t flagged as “external” by most systems. Activity happens under the developer’s real credentials, making detection drastically harder. Configuration that was once treated as passive is now an attack surface, and every integration is a trust boundary.

How do npm packages exploit Claude Code for token theft?

Malicious npm packages are actively exploiting Claude Code for token theft by targeting the user's local configuration file. According to Mitiga Labs, this exploit chain works as follows:

1. An attacker publishes or injects a malicious npm package.
2. Once installed—sometimes via dependency confusion or typosquatting—the package overwrites the ~/.claude.json file.
3. This rewrite points MCP (the Model Context Protocol endpoint Claude Code uses for agent connections) to an attacker-controlled server.
4. As Claude Code authenticates sessions to GitHub, Jira, Confluence, or similar connected services, OAuth tokens and API keys flow through the attacker’s interception point.
5. The attacker collects and reuses these long-lived tokens, emulating legitimate agent activity on the victim’s behalf.

This chain is currently described as live and unpatched by June 2026 sources. Anthropic’s own Claude Code security updates do not yet block or monitor changes to ~/.claude.json, and the agent does not warn if MCP is routed to a suspicious host. As a result, the risk extends to any machine that installs untrusted npm packages—even if the direct dependency isn’t obviously hostile.

The threat isn’t theoretical. Tokens for services like GitHub, Jira, and Confluence are all at risk, as detailed by Mitiga Labs. Because this attack moves via configuration, it bypasses many endpoint scanners: nothing runs as a privileged process, no obvious malware is dropped, and agent-led requests use valid credentials. Until Anthropic ships active monitoring or config hardening, the best defense is to audit your config and lock down your dependency sources.

What are the patched vulnerabilities reported by Check Point?

Check Point Research disclosed two major Claude Code vulnerabilities that have now been patched by Anthropic as of June 2026:

CVE-2025-59536: Repository hook remote code execution

• Attackers exploit a weakness in how Claude Code processes repository hooks. By injecting malicious logic, a user or bot can trigger shell execution on the developer’s machine as the agent runs.
• This enables full remote code execution—arbitrary commands running under the developer’s credentials, with access to local repo, SaaS tokens, and any system resource the agent reaches.

CVE-2026-21852: API key exfiltration via agent workflows

• Attackers use manipulations in agent-invoked API workflows, leaking stored keys that should only be accessible locally.
• The agent interacts with APIs in a way that allowed embedded secrets to be exfiltrated from the workflow context, again under the guise of legitimate traffic.

Anthropic patched both vulnerabilities after public disclosure. According to the available timeline, updates were issued following the reports, and both Check Point and upstream security news (SecurityWeek, all-about-security) confirmed the patch status as of June 2026. Developers running updated Claude Code versions are protected from these specific RCE and exfiltration exploits, but the live npm package config-chain exploit (see above) remains unpatched.

Takeaway: Run the latest Claude Code version, verify applied patches, and treat all repo hook automation as sensitive code—not as safe config dust.

How do MCP integrations increase attack surface in Claude Code?

MCP (Model Context Protocol) integrations are a convenience—until they’re not. An attacker who controls MCP routing or endpoint configuration in ~/.claude.json can intercept, rewrite, or replay authenticated traffic sent by Claude Code. This turns a developer’s machine into a credential proxy, letting the attacker:

• Eavesdrop or tamper with code context exchanged between agent and SaaS backends.
• Capture live OAuth tokens passed in MCP requests, with access to GitHub, Jira, Confluence, or internal APIs.
• Manipulate active sessions or inject new commands into the agent traffic flow.

These risks arise because MCP is often treated as an infrastructure detail—users and teams set it and forget it, trusting the endpoint or skipping scrutiny. But since Claude Code’s default behavior is to honor whatever MCP endpoint is set in config, a poisoned setting (via npm or manual misstep) means all agent traffic is exposed.

Best practices (if you’re integrating or securing Claude Code today):

# Always audit contents of ~/.claude.json after npm or pip installs
cat ~/.claude.json | grep mcp
# MCP endpoint should resolve to known, internal, or Anthropic-controlled domains
# Never allow agent config to point MCP at arbitrary hosts
# Enforce least-privilege network ACLs around MCP services

Defensive posture: treat every MCP integration as a route that could become hostile if reconfigured. Monitoring, network policy, and regular review of config matter more than ever.

How can developers protect themselves from Claude Code risks today?

To defend against Claude Code security vulnerabilities—both patched and live—developers and teams should enforce a defense-in-depth approach focused on configuration provenance, update discipline, and runtime monitoring:

1. Avoid untrusted npm packages and validate all dependency installs.

• Lock down project-level and global npm sources. Audit dependencies for typo/model-squatting patterns.
• Use npm audit and npm ls to identify surprise additions.
• Monitor for unexpected changes to ~/.claude.json after package installs.

2. Regularly update Claude Code and apply all Anthropic security patches.

• Check for updates after every security disclosure. Validate that patched versions are deployed across all developer environments.
• Subscribe to the official Claude Code and Anthropic advisory feeds.

3. Review and harden agent configuration files.

• Protect ~/.claude.json with OS-level permissions (chmod 600).
• Set up file integrity monitoring (e.g., inotify, auditd) to catch unauthorized edits.
• Pin MCP and token storage paths to known-good values, and reject changes from non-admin processes.

4. Secure and audit repository hooks.

• Treat every repo hook (pre-commit, post-merge, CI/CD trigger) as executable code—review them like application code.
• Restrict repo hook permissions and remove any unused or legacy automation.
• Enable runtime logging for hook execution events.

5. Employ network monitoring and restrict the agent’s network scope.

• Deploy intrusion detection or flow monitoring on agent-related traffic.
• Limit outbound connections from agent processes to trusted endpoints (MCP, SaaS APIs).
• Alert if agent contexts appear in unusual destinations or volumes.

6. Implement strict OAuth hygiene.

• Enforce multi-factor authentication where possible.
• Rotate OAuth tokens regularly, especially for high-privilege or agent-integrated accounts.
• Review granted scopes and revoke unused app authorizations.

Example: Secure ~/.claude.json and detect changes

# Ensure config is locked down
chmod 600 ~/.claude.json
# Monitor for unauthorized writes
auditctl -w ~/.claude.json -p wa

# Detect changes to MCP endpoint
cat ~/.claude.json | jq .mcpEndpoint

Further reading:

• Secure coding best practices for AI development environments
• How to protect OAuth tokens in developer workflows
• Guide to managing repository hooks securely

Takeaway: securing Claude Code is as much about reacting to new disclosure (patches, advisories) as it is about enforcing healthy baseline posture—controlled installs, config monitoring, and credential rotation.

Vigilance is the new default for developer machines

Claude Code security vulnerabilities are not abstract—they reach core dev workflows, source code, and SaaS tokens. As revealed in the June 2026 reports, the attack surface isn’t just theoretical: npm package abuses and MCP reroutes are live issues, while repo hook RCE and API key leaks are only off the table if you’ve updated. Security is a practiced discipline, not a checkbox. Defend every config file, validate every integration, rotate tokens, and subscribe to live advisories. Staying ahead of evolving agent-centric attacks means every developer is now part of the security team.