TL;DR
Security researchers have reported three Claude Code-related attack paths involving local configuration, MCP integrations, repository hooks and exposed source code. Check Point-reported CVEs have been patched, while a Mitiga Labs token-theft chain is described as unpatched because Anthropic treats it as out of scope.
Security researchers have documented multiple Claude Code attack paths that could expose developer tokens or enable code execution, putting a spotlight on agentic coding tools that connect local workstations to services such as GitHub, Jira and Confluence.
The reporting centers on three strands: a Mitiga Labs token-theft chain involving Claude Code’s local configuration and MCP routing, Check Point Research findings tied to repository hooks and API-key exposure, and reporting that a packaging error exposed source code later used in fake GitHub lures.
According to the source material, Check Point Research reported CVE-2025-59536, described as remote code execution through repository hooks, and CVE-2026-21852, described as API-key exfiltration. Those issues are described as patched. Mitiga Labs’ reported chain remains live, according to the article, because Anthropic treats that class of npm post-install behavior as outside its patch scope.
The reported Mitiga path does not require breaking into Anthropic’s systems. The described chain begins with a malicious npm package, uses a post-install hook to alter ~/.claude.json, redirects Claude Code’s authenticated MCP traffic and captures long-lived OAuth tokens for connected SaaS tools, according to the researchers’ defensive overview.
Your Coding Agent Is an Attack Surface
● SecurityThree disclosed flaws turned Claude Code’s local config and MCP integrations into silent paths for token theft and code execution. Some fixes are yours to make — and the lesson applies to every agentic dev tool, not one.
The config files most teams treat as passive metadata are, in practice, active execution paths.
~/.claude.json, reroutes MCP traffic, and intercepts long-lived OAuth tokens for GitHub, Jira, Confluence.How the unpatched Mitiga path works — at the level its researchers published. (Defensive overview, no exploit detail.)
~/.claude.json.For teams running Claude Code — or any coding agent — in production.
~/.claude.json/permissions; disconnect what you don’t use.Anthropic patched the Check Point CVEs fast — responsible disclosure worked. The npm post-install hook is an industry-wide supply-chain risk class, not Anthropic’s invention.
Anthropic calls the Mitiga chain “out of scope.” But consenting to install a package isn’t consenting to having your SaaS credentials intercepted — and plaintext tokens in the router file turn a generic risk into a specific one.
Independent commentary, produced with AI assistance under human editorial oversight; the views are the author’s own and may change. This is security analysis and opinion, not professional security, legal, or financial advice; verify specifics against vendor advisories and the primary research before acting. It describes publicly disclosed vulnerabilities at the level reported by their researchers and is for defensive purposes only — no exploit code or attack instructions. Sources: Computerwoche (Anjali Gopinadhan Nair), Mitiga Labs, Check Point Research, SecurityWeek, all-about-security, and Anthropic’s documentation, read as of June 2026. References to companies, researchers, and CVEs are factual and analytical and imply no affiliation or endorsement.
Agent Tokens Reach Core Systems
The issue matters because coding agents often sit near source code, internal APIs, cloud tooling and production credentials. A stolen browser session may expose one service. A stolen agent token can reach across several systems if the agent has broad MCP permissions.
The findings also change how teams need to classify local agent files. Configuration that once looked like passive developer metadata can become a routing layer for authenticated traffic. That makes file integrity, package-install behavior and connector permissions part of the security boundary.
developer security token management tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Claude Code’s Expanding Permissions
Claude Code is used by developers to run coding workflows from local machines while connecting to outside services through the Model Context Protocol. Those integrations are useful because they let the agent work across repositories, tickets, documents and internal services.
The same design creates risk when local files, hooks or package scripts can alter how the agent reaches those services. The source material frames the issue as broader than Claude Code, saying the pattern applies to agentic developer tools that can read code, execute commands or act through connected accounts.
Anthropic is credited in the source material with patching the Check Point-reported CVEs after responsible disclosure. The disputed area is the Mitiga-reported npm package path, where the article says Anthropic treats the chain as an industry-wide supply-chain risk rather than a Claude Code vulnerability.
GitHub security audit tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Mitiga Chain Patch Status
It is not yet clear whether Anthropic will change its position on the Mitiga-reported chain or add product-level guardrails around local MCP routing changes. The source material says the chain remains unpatched by design choice, while also describing the npm post-install behavior as a wider software supply-chain issue.
The scope of active exploitation is also unclear from the provided material. The report describes a plausible and disclosed path for token theft, but does not establish how many developer environments, if any, have been compromised through this chain.
secure coding environment software
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Teams Review Agent Workstations
Teams using Claude Code or similar agents are being urged to update patched versions, audit ~/.claude.json, watch for new MCP endpoints or proxy settings, review npm post-install scripts, narrow connector scopes and rotate tokens only after removing any persistence mechanism.
The next test for vendors will be whether agent tools add stronger warnings, config integrity checks or safer defaults around connector routing. For users, the immediate step is to treat coding-agent configuration as part of the production security surface, not ordinary local preference data.
API key management solutions
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
What is the confirmed development?
Researchers have reported Claude Code-related attack paths involving MCP routing, local config files, repository hooks and token exposure. The Check Point-reported CVEs are described as patched; the Mitiga token-theft path is described as still open.
Does this mean Claude Code itself was breached?
The provided material does not say Anthropic was breached. The reported risks involve local developer environments, malicious packages, repo hooks and how authenticated agent traffic can be redirected.
What should developers check first?
Developers should update Claude Code, inspect ~/.claude.json for unfamiliar MCP endpoints or proxy settings, review install scripts from recent npm packages and audit connected service permissions.
Why are MCP tokens a high-value target?
MCP integrations can connect an agent to code hosts, issue trackers, documents and internal services. If tokens are long-lived and broadly scoped, one stolen credential can expose several systems.
What remains unknown?
The provided material does not confirm the number of affected users or active compromises. It is also unclear whether Anthropic will add a product-level fix for the Mitiga-reported chain.
Source: Thorsten Meyer AI
