TL;DR
Security researchers have documented three Claude Code-related attack paths involving local config files, MCP integrations and repository hooks. Anthropic has patched two Check Point-reported CVEs, while a Mitiga Labs token-theft chain remains described as unpatched and out of scope by Anthropic, according to the source material.
Security researchers have reported three Claude Code-related attack paths that could expose developer tokens or enable code execution through local configuration files, MCP integrations and repository hooks in tools connected to GitHub, Jira, Confluence and internal services.
The reported issues center on the way Claude Code interacts with a developer’s local machine and connected services. According to the source material, Mitiga Labs described a supply-chain attack in which a malicious npm package can alter ~/.claude.json, redirect authenticated Model Context Protocol traffic and capture long-lived OAuth tokens for connected SaaS tools.
Separately, Check Point Research reported two vulnerabilities identified in the source material as CVE-2025-59536, described as remote code execution through repository hooks, and CVE-2026-21852, described as API-key exfiltration. Those issues are described as patched by Anthropic after disclosure.
The Mitiga Labs path is described differently: the source material says Anthropic treated the chain as out of scope because it relied on npm post-install behavior. Other security commentary cited in the source material says changes to an agent’s configuration can extend package-install risk to credential exposure through connected developer tooling. The source material does not provide exploit code and frames the disclosure as defensive security analysis.
Your Coding Agent Is an Attack Surface
● SecurityThree disclosed flaws turned Claude Code’s local config and MCP integrations into silent paths for token theft and code execution. Some fixes are yours to make — and the lesson applies to every agentic dev tool, not one.
The config files most teams treat as passive metadata are, in practice, active execution paths.
~/.claude.json, reroutes MCP traffic, and intercepts long-lived OAuth tokens for GitHub, Jira, Confluence.How the unpatched Mitiga path works — at the level its researchers published. (Defensive overview, no exploit detail.)
~/.claude.json.For teams running Claude Code — or any coding agent — in production.
~/.claude.json/permissions; disconnect what you don’t use.Anthropic patched the Check Point CVEs fast — responsible disclosure worked. The npm post-install hook is an industry-wide supply-chain risk class, not Anthropic’s invention.
Anthropic calls the Mitiga chain “out of scope.” But consenting to install a package isn’t consenting to having your SaaS credentials intercepted — and plaintext tokens in the router file turn a generic risk into a specific one.
Independent commentary, produced with AI assistance under human editorial oversight; the views are the author’s own and may change. This is security analysis and opinion, not professional security, legal, or financial advice; verify specifics against vendor advisories and the primary research before acting. It describes publicly disclosed vulnerabilities at the level reported by their researchers and is for defensive purposes only — no exploit code or attack instructions. Sources: Computerwoche (Anjali Gopinadhan Nair), Mitiga Labs, Check Point Research, SecurityWeek, all-about-security, and Anthropic’s documentation, read as of June 2026. References to companies, researchers, and CVEs are factual and analytical and imply no affiliation or endorsement.
Agent Tokens Carry Broad Access
The reported attack paths are relevant because coding agents are often connected to source repositories, issue trackers, documentation systems, cloud tools and internal APIs. An agent with valid MCP credentials may have access to source code, production-adjacent systems and developer secrets.
For engineering teams, the report identifies the workstation and toolchain around the model as security-relevant areas. Local config files, repository hooks and package install scripts can affect how an agent routes traffic, requests permissions or acts on behalf of a developer.
The source material also identifies a monitoring challenge: if traffic comes from a real user through an expected agent path, logs may not clearly show abuse. That could make token theft harder to distinguish from normal developer activity unless teams monitor config changes, MCP endpoint changes and unusual permission patterns.
The Complete SQLMap Toolkit: Automated SQL Injection, Burp Suite Workflows, and Advanced Exploitation Made Simple
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Disclosures Involve Expanding Workflows
Claude Code is used by developers to automate coding tasks and connect local workflows with external systems. The Model Context Protocol expands that reach by allowing tools and services to plug into an agent’s working environment.
The source material, citing Mitiga Labs, Check Point Research, SecurityWeek, all-about-security, Computerwoche commentary by Anjali Gopinadhan Nair and Anthropic documentation, describes a pattern in which expanded developer-tool integrations can increase the attack surface.
The issue is not limited to one vendor. The report frames npm install hooks, local agent configuration and long-lived tokens as broader risks for agentic developer tools. Anthropic is credited in the source material with patching the Check Point-reported vulnerabilities after responsible disclosure.
Data Plane Development Kit (DPDK): A Software Optimization Guide to the User Space-Based Network Applications
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Mitiga Chain Still Disputed
It is not yet clear from the supplied source material whether Anthropic plans any product-level change for the Mitiga Labs chain. The report says the path remains unpatched by design choice, but it also describes npm post-install hooks as an industry-wide supply-chain risk rather than a flaw created solely by Claude Code.
The scale of real-world exploitation is also unclear. The source material describes the attack path and warns about active malware lures tied to exposed source material, but it does not provide confirmed victim counts or incident scope.
Algorithmic Trading with Python: Build, Backtest, and Automate Strategies with Code, Data, and Real-World Market Tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Teams Review Agent Workstations
Security teams using Claude Code or similar coding agents are likely to review local agent configuration, npm install controls, MCP scopes and token rotation procedures. The source material recommends updating Claude Code, watching ~/.claude.json for unexpected MCP endpoints or proxy settings, limiting OAuth scopes and removing unused integrations.
For hosts suspected of compromise, the recommended order is to remove the malicious hook or package first, then rotate affected tokens. Rotating credentials without cleaning the workstation may leave the same path in place.
Token2 Molto-1-i Multi-Profile TOTP Hardware Token
Holds TOTP hashes for 10 accounts
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
What is the main security issue reported here?
The main issue is that Claude Code’s local configuration and MCP integrations can become paths for token theft or code execution if an attacker can alter config files, package install behavior or repository hooks.
Has Anthropic patched the reported flaws?
According to the source material, Anthropic patched the two Check Point-reported CVEs. The Mitiga Labs token-theft chain is described as unpatched because Anthropic treated it as outside the product’s scope.
Does this only affect Claude Code?
The reported examples involve Claude Code, but the broader risk applies to agentic developer tools that connect local machines to code repositories, SaaS platforms and internal services.
What should developers check now?
Developers and security teams should update Claude Code, review ~/.claude.json, audit MCP permissions, limit OAuth scopes, inspect npm post-install behavior and rotate tokens after removing any suspicious local changes.
Source: Thorsten Meyer AI
