Mitiga Uncovers Claude Code MCP Traffic Hijacking Attack
Security researchers at Mitiga disclosed a sophisticated attack method on May 7, 2026, that enables threat actors to silently intercept OAuth authentication tokens from Anthropic's Claude Code through Model Context Protocol (MCP) traffic manipulation. The attack leverages weaknesses in how Claude Code handles MCP communications to redirect authentication flows without triggering obvious security alerts.
The Model Context Protocol serves as Claude Code's primary communication channel for integrating with external development tools and SaaS platforms. When developers authenticate Claude Code with services like GitHub, GitLab, or cloud development environments, the system exchanges OAuth tokens through MCP channels to establish secure connections. Mitiga's research team discovered that attackers can position themselves as intermediaries in this process, effectively performing a man-in-the-middle attack on the authentication handshake.
The attack begins when threat actors compromise the MCP communication pathway, either through network-level interception or by exploiting vulnerabilities in the local development environment where Claude Code operates. Once positioned, attackers can silently redirect OAuth token requests to malicious endpoints that capture the authentication credentials while simultaneously forwarding them to legitimate services. This dual-path approach ensures that the original authentication appears successful to both the user and the target SaaS platform, masking the compromise.
What makes this attack particularly dangerous is its stealth factor. Unlike traditional OAuth token theft methods that often trigger security alerts or cause authentication failures, the MCP hijacking technique maintains normal application behavior. Developers continue working with Claude Code as expected, unaware that their authentication tokens have been compromised. The stolen tokens provide attackers with the same level of access that the legitimate user possesses across connected development platforms and SaaS services.
Mitiga researchers demonstrated how attackers can maintain persistent access to compromised accounts by leveraging the long-lived nature of many OAuth tokens used in development environments. Unlike session-based authentication that expires quickly, OAuth tokens for development tools often remain valid for extended periods to support automated workflows and continuous integration processes. This extended validity window gives attackers substantial time to explore connected systems, exfiltrate sensitive code repositories, or establish additional persistence mechanisms.
Development Teams Using Claude Code Face Exposure Risk
The vulnerability primarily affects software development teams and organizations that have integrated Claude Code with their development workflows and SaaS platforms. Any environment where Claude Code connects to external services through OAuth authentication becomes a potential target for this MCP hijacking attack. This includes individual developers working on personal projects, enterprise development teams, and organizations using Claude Code for automated code generation and review processes.
Particularly at risk are development environments that handle sensitive intellectual property, proprietary source code, or have access to production systems through integrated development platforms. Organizations using Claude Code with GitHub Enterprise, GitLab, Bitbucket, or cloud-based development environments like AWS CodeCommit face elevated exposure. The attack's impact extends beyond the immediate development environment to any SaaS platform connected through the compromised OAuth tokens.
Enterprise environments with extensive SaaS integrations face the highest risk, as a single compromised OAuth token can potentially provide access to multiple connected services. Development teams working with customer data, financial information, or other regulated content through Claude Code integrations should consider their exposure particularly serious. The persistent nature of the access means that even after initial compromise detection, attackers may have already established additional footholds in connected systems.
Remote development teams and distributed organizations may face additional challenges in detecting this type of attack, as the normal network traffic patterns in remote work environments can mask the subtle signs of MCP traffic redirection. Organizations relying heavily on automated development workflows through Claude Code integrations should assess their monitoring capabilities for detecting unauthorized OAuth token usage across connected platforms.
Implementing Protection Against Claude Code MCP Attacks
Organizations can implement several defensive measures to protect against MCP hijacking attacks targeting Claude Code OAuth tokens. The primary defense involves implementing network-level monitoring to detect unusual MCP traffic patterns or unexpected redirection attempts. Security teams should establish baseline traffic patterns for legitimate Claude Code communications and configure alerts for deviations that might indicate hijacking attempts.
Network segmentation provides another critical defense layer by isolating development environments and limiting the potential impact of compromised OAuth tokens. Organizations should implement zero-trust network architectures that require explicit verification for all MCP communications, even within trusted network segments. This approach can help detect and block unauthorized redirection attempts before they successfully capture OAuth tokens.
Authentication monitoring represents a crucial detection mechanism for this attack type. Security teams should implement comprehensive logging for all OAuth token generation, usage, and refresh activities across connected SaaS platforms. Unusual authentication patterns, such as tokens being used from unexpected geographic locations or accessing resources outside normal usage patterns, can indicate compromise. Organizations should also implement OAuth token rotation policies that limit the window of opportunity for attackers using stolen credentials.
For immediate protection, organizations should review their Claude Code deployment configurations and ensure that MCP communications occur over encrypted channels with proper certificate validation. Implementing certificate pinning for critical MCP connections can prevent attackers from successfully intercepting traffic through rogue certificates. Additionally, organizations should audit their OAuth token scopes and permissions to ensure that Claude Code integrations operate with minimal necessary privileges, limiting the potential impact of token compromise.
Long-term security improvements should include implementing OAuth token binding mechanisms that tie tokens to specific network contexts or device characteristics, making stolen tokens less useful to attackers operating from different environments. Organizations should also consider implementing continuous authentication monitoring that can detect and respond to suspicious OAuth token usage patterns in real-time across all connected SaaS platforms.
