TL;DR
Security researchers have linked three Claude Code-related flaws to risks including OAuth token theft and code execution through local config, MCP routing and repository hooks. Anthropic patched the Check Point-reported CVEs, while Mitiga Labs’ npm-based token-theft chain remains unresolved because Anthropic reportedly classifies it as out of scope.
Security researchers have disclosed Claude Code-related attack paths that could expose developer OAuth tokens or execute code through local configuration files, MCP integrations and repository hooks, raising concern for teams that connect coding agents to GitHub, Jira, Confluence and internal systems.
The reported issues fall into three strands. Mitiga Labs described a live token-theft chain in which a malicious npm package rewrites ~/.claude.json, reroutes authenticated Model Context Protocol traffic and captures long-lived OAuth tokens for connected services. According to the source material, Anthropic considers that chain out of scope, leaving mitigation largely to users and security teams.
Check Point Research reported two Claude Code vulnerabilities identified as CVE-2025-59536 and CVE-2026-21852. The source material says one involved remote code execution through repository hooks before a user prompt, while the other involved API-key exfiltration. Those issues were patched by Anthropic after disclosure, according to the report.
A separate supply-chain concern cited through SecurityWeek and all-about-security involves a packaging error that exposed unencrypted source material, which attackers could use in fake GitHub repositories or malware lures. The source material frames that threat as active social engineering rather than a newly confirmed exploitation of Claude Code itself.
Your Coding Agent Is an Attack Surface
● SecurityThree disclosed flaws turned Claude Code’s local config and MCP integrations into silent paths for token theft and code execution. Some fixes are yours to make — and the lesson applies to every agentic dev tool, not one.
The config files most teams treat as passive metadata are, in practice, active execution paths.
~/.claude.json, reroutes MCP traffic, and intercepts long-lived OAuth tokens for GitHub, Jira, Confluence.How the unpatched Mitiga path works — at the level its researchers published. (Defensive overview, no exploit detail.)
~/.claude.json.For teams running Claude Code — or any coding agent — in production.
~/.claude.json/permissions; disconnect what you don’t use.Anthropic patched the Check Point CVEs fast — responsible disclosure worked. The npm post-install hook is an industry-wide supply-chain risk class, not Anthropic’s invention.
Anthropic calls the Mitiga chain “out of scope.” But consenting to install a package isn’t consenting to having your SaaS credentials intercepted — and plaintext tokens in the router file turn a generic risk into a specific one.
Independent commentary, produced with AI assistance under human editorial oversight; the views are the author’s own and may change. This is security analysis and opinion, not professional security, legal, or financial advice; verify specifics against vendor advisories and the primary research before acting. It describes publicly disclosed vulnerabilities at the level reported by their researchers and is for defensive purposes only — no exploit code or attack instructions. Sources: Computerwoche (Anjali Gopinadhan Nair), Mitiga Labs, Check Point Research, SecurityWeek, all-about-security, and Anthropic’s documentation, read as of June 2026. References to companies, researchers, and CVEs are factual and analytical and imply no affiliation or endorsement.
Agent Tokens Reach Beyond Browsers
The concern is that coding agents sit close to source code, SaaS connectors, cloud tooling and development secrets. A stolen browser session can give an attacker access to one service. A stolen or rerouted agent token may reach multiple systems that a developer has connected for daily work.
The Mitiga chain matters because the attack, as described, can appear normal in logs. The user is real, the session is valid and traffic may appear to come through expected Anthropic infrastructure. That makes the issue harder to spot than many ordinary phishing attempts, where unusual login geography, device signals or browser behavior may offer warnings.
The broader lesson is not limited to Claude Code. The source material argues that local agent configuration files, MCP connector settings, npm install scripts and repository hooks should be treated as active execution paths. For organizations adopting agentic development tools, that changes the security model around developer laptops and tool permissions.

Python Cybersecurity Automation Tips – Efficient security monitoring and penetration testing automation using scripts and tools – (Japanese Edition)
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
The shared pattern is that features built for speed and integration can also become paths for abuse. Claude Code can connect to external tools through MCP, read local configuration and act inside a developer’s workspace. Those capabilities are useful for automation, but they also increase the impact if a config file, hook or connector is modified.
According to the source material, German-market commentary by cybersecurity engineer Anjali Gopinadhan Nair in Computerwoche connected the individual findings into a wider warning about agentic developer tooling. The commentary credited Anthropic for patching the Check Point-reported issues while criticizing the unresolved Mitiga path as a risk teams should handle now.
The reported defense guidance is practical: update Claude Code, monitor ~/.claude.json, review npm post-install hooks, remove malicious local changes before rotating tokens, narrow MCP scopes and avoid placing production secrets on ordinary workstations.
“The config files most teams treat as passive metadata are, in practice, active execution paths.”
— ThorstenMeyerAI Dispatch
Patch Boundary Still Disputed
It is not clear from the provided source material whether attackers are actively using the Mitiga-described npm chain against Claude Code users in the wild. The report describes the chain as live and unpatched, but does not provide incident counts, victim names or independent telemetry.
It is also unclear whether Anthropic will change its position on the Mitiga issue. The source material says Anthropic treats the chain as out of scope, while the commentary argues that user consent to install a package is not consent for SaaS credentials to be intercepted through agent routing.
The exact exposure for any one organization depends on local setup: which MCP connectors are enabled, what scopes tokens carry, whether npm lifecycle scripts are restricted and whether developer machines hold production credentials.
Teams Move To Harden Agents
The next step for users is to verify they are running patched Claude Code versions for the Check Point-reported CVEs, then audit local agent configuration and connected services. Security teams should check for unexpected MCP endpoints, proxy settings and OAuth-refresh changes in ~/.claude.json.
If compromise is suspected, the reported guidance is to clean the host first, remove hostile hooks or config changes, then rotate affected tokens. Rotating credentials without removing the local mechanism that captured them may leave the same path open.
For vendors and large engineering teams, the unresolved question is where agent-tool responsibility ends and local supply-chain risk begins. Until that boundary is clearer, the safer operating model is to treat coding agents as privileged software with access that must be scoped, monitored and periodically reviewed.
Key Questions
What was the main Claude Code security development?
Researchers and security commentary tied Claude Code’s local configuration, MCP integrations and repository hooks to disclosed risks involving token theft and code execution. Some reported flaws were patched, while the Mitiga-described npm token-theft chain remains unresolved in the source material.
Were all reported Claude Code flaws patched?
No. The source material says Anthropic patched the Check Point-reported CVEs, identified as CVE-2025-59536 and CVE-2026-21852. It says the Mitiga Labs token-theft chain remains live because Anthropic views it as out of scope.
Why are MCP integrations part of the risk?
MCP integrations can connect a coding agent to services such as GitHub, Jira and Confluence. If traffic is rerouted or tokens are captured, an attacker may gain access beyond the coding tool itself, depending on token scopes and connected services.
What should Claude Code users check first?
Users should update Claude Code, inspect ~/.claude.json for unexpected MCP endpoints or proxy changes, review npm post-install behavior and reduce token scopes for connected services.
Is this only a Claude Code issue?
The disclosed findings concern Claude Code, but the wider risk applies to agentic developer tools that can read local config, connect to SaaS accounts and act inside development environments.
Source: Thorsten Meyer AI