Your Coding Agent Is an Attack Surface: The Claude Code Security Reckoning

TL;DR

Security researchers have reported three Claude Code-related attack paths involving local configuration, MCP integrations, repository hooks and exposed source code. Check Point-reported CVEs have been patched, while a Mitiga Labs token-theft chain is described as unpatched because Anthropic treats it as out of scope.

Security researchers have documented multiple Claude Code attack paths that could expose developer tokens or enable code execution, putting a spotlight on agentic coding tools that connect local workstations to services such as GitHub, Jira and Confluence.

The reporting centers on three strands: a Mitiga Labs token-theft chain involving Claude Code’s local configuration and MCP routing, Check Point Research findings tied to repository hooks and API-key exposure, and reporting that a packaging error exposed source code later used in fake GitHub lures.

According to the source material, Check Point Research reported CVE-2025-59536, described as remote code execution through repository hooks, and CVE-2026-21852, described as API-key exfiltration. Those issues are described as patched. Mitiga Labs’ reported chain remains live, according to the article, because Anthropic treats that class of npm post-install behavior as outside its patch scope.

The reported Mitiga path does not require breaking into Anthropic’s systems. The described chain begins with a malicious npm package, uses a post-install hook to alter ~/.claude.json, redirects Claude Code’s authenticated MCP traffic and captures long-lived OAuth tokens for connected SaaS tools, according to the researchers’ defensive overview.

ThorstenMeyerAI.com · AI Dispatch ● Reality Check · Dev-Tool Security · June 2026
Claude Code · MCP · Agentic Dev-Tool Security

Your Coding Agent Is an Attack Surface

● Security

Three disclosed flaws turned Claude Code’s local config and MCP integrations into silent paths for token theft and code execution. Some fixes are yours to make — and the lesson applies to every agentic dev tool, not one.

01 Three disclosures, one theme

The config files most teams treat as passive metadata are, in practice, active execution paths.

Mitiga Labs
Silent token theft
A malicious npm package rewrites ~/.claude.json, reroutes MCP traffic, and intercepts long-lived OAuth tokens for GitHub, Jira, Confluence.
● Live · no patch
Check Point Research
Code execution before the prompt
CVE-2025-59536 (RCE via repo hooks) and CVE-2026-21852 (API-key exfiltration). Just cloning an untrusted repo was enough.
● Patched
SecurityWeek · all-about-security
Source leak → malware lure
A packaging error exposed unencrypted source. Now fuel for fake GitHub repos pushing trojans via social engineering.
● Active lure
02 The token-theft chain

How the unpatched Mitiga path works — at the level its researchers published. (Defensive overview, no exploit detail.)

01 · bait
A malicious npm package poses as a harmless utility.
02 · rewrite
A post-install hook silently rewrites ~/.claude.json.
03 · reroute
Claude Code’s authenticated MCP traffic is redirected to attacker infrastructure.
04 · siphon
Long-lived OAuth tokens for every connected SaaS are captured in transit.
And it’s invisible: the source IP traces to Anthropic’s egress range, the user is real, the session is valid. Nothing in the logs is wrong — and nothing is right.
03 Why this is worse than browser phishing
Adversary-in-the-Middle
Targets a browser session
Slips between you and the service, waits for login, lifts the session token. Bad — but bounded to the browser.
A coding agent
Sits next to everything that matters
Source code, internal APIs, cloud infrastructure, production keys. A stolen agent token reaches further than a stolen browser session ever could.
Passive metadata → active execution path
config file
traffic router
repo hook
pre-consent RCE
env variable
token redirect
MCP token
SaaS access
04 The defense playbook

For teams running Claude Code — or any coding agent — in production.

01
Patch & update first
Current versions fix the Check Point CVEs — the cheapest win.
02
Watch ~/.claude.json
Treat new MCP endpoints, proxy addresses, or OAuth-refresh changes as an alarm.
03
Gate npm post-install hooks
Review what runs at install time — across all dev tools, not just this one.
04
Clean the host, then rotate
Rotation alone won’t break the chain if the hook remains. Remove it first, then rotate tokens.
05
Least-privilege MCP
Narrow scopes; audit via /permissions; disconnect what you don’t use.
06
Sandbox & verify provenance
Isolate sessions, keep prod secrets off the workstation, distrust unfamiliar repos.
05 The honest read
◆ Credit where due

Anthropic patched the Check Point CVEs fast — responsible disclosure worked. The npm post-install hook is an industry-wide supply-chain risk class, not Anthropic’s invention.

⬛ The uncomfortable part

Anthropic calls the Mitiga chain “out of scope.” But consenting to install a package isn’t consenting to having your SaaS credentials intercepted — and plaintext tokens in the router file turn a generic risk into a specific one.

Don’t wait for a patch that may never come. Treat the agent’s config as production code — because it is.

Independent commentary, produced with AI assistance under human editorial oversight; the views are the author’s own and may change. This is security analysis and opinion, not professional security, legal, or financial advice; verify specifics against vendor advisories and the primary research before acting. It describes publicly disclosed vulnerabilities at the level reported by their researchers and is for defensive purposes only — no exploit code or attack instructions. Sources: Computerwoche (Anjali Gopinadhan Nair), Mitiga Labs, Check Point Research, SecurityWeek, all-about-security, and Anthropic’s documentation, read as of June 2026. References to companies, researchers, and CVEs are factual and analytical and imply no affiliation or endorsement.

ThorstenMeyerAI.com · AI Dispatch · Reality Check · June 2026 · © 2026 Thorsten Meyer

Agent Tokens Reach Core Systems

The issue matters because coding agents often sit near source code, internal APIs, cloud tooling and production credentials. A stolen browser session may expose one service. A stolen agent token can reach across several systems if the agent has broad MCP permissions.

The findings also change how teams need to classify local agent files. Configuration that once looked like passive developer metadata can become a routing layer for authenticated traffic. That makes file integrity, package-install behavior and connector permissions part of the security boundary.

Token2 miniOTP-2-i programmable Two-Factor Security Token with time sync

Token2 miniOTP-2-i programmable Two-Factor Security Token with time sync

Works with authentication systems that support TOTP tokens: Google, Facebook, Coinbase, GDAX, Dropbox, GitHub, Kickstarter, Microsoft, TeamViewer, etc.

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Claude Code’s Expanding Permissions

Claude Code is used by developers to run coding workflows from local machines while connecting to outside services through the Model Context Protocol. Those integrations are useful because they let the agent work across repositories, tickets, documents and internal services.

The same design creates risk when local files, hooks or package scripts can alter how the agent reaches those services. The source material frames the issue as broader than Claude Code, saying the pattern applies to agentic developer tools that can read code, execute commands or act through connected accounts.

Anthropic is credited in the source material with patching the Check Point-reported CVEs after responsible disclosure. The disputed area is the Mitiga-reported npm package path, where the article says Anthropic treats the chain as an industry-wide supply-chain risk rather than a Claude Code vulnerability.

Amazon

GitHub security audit tools

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Mitiga Chain Patch Status

It is not yet clear whether Anthropic will change its position on the Mitiga-reported chain or add product-level guardrails around local MCP routing changes. The source material says the chain remains unpatched by design choice, while also describing the npm post-install behavior as a wider software supply-chain issue.

The scope of active exploitation is also unclear from the provided material. The report describes a plausible and disclosed path for token theft, but does not establish how many developer environments, if any, have been compromised through this chain.

Intelligent, Secure, and Dependable Systems in Distributed and Cloud Environments: Second International Conference, ISDDC 2018, Vancouver, BC, Canada, ... (Programming and Software Engineering)

Intelligent, Secure, and Dependable Systems in Distributed and Cloud Environments: Second International Conference, ISDDC 2018, Vancouver, BC, Canada, … (Programming and Software Engineering)

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Teams Review Agent Workstations

Teams using Claude Code or similar agents are being urged to update patched versions, audit ~/.claude.json, watch for new MCP endpoints or proxy settings, review npm post-install scripts, narrow connector scopes and rotate tokens only after removing any persistence mechanism.

The next test for vendors will be whether agent tools add stronger warnings, config integrity checks or safer defaults around connector routing. For users, the immediate step is to treat coding-agent configuration as part of the production security surface, not ordinary local preference data.

Mastering Secure Authentication: A Comprehensive Guide to Implementing Robust Authentication Solutions with OAuth2 and OpenID

Mastering Secure Authentication: A Comprehensive Guide to Implementing Robust Authentication Solutions with OAuth2 and OpenID

As an affiliate, we earn on qualifying purchases.

As an affiliate, we earn on qualifying purchases.

Key Questions

What is the confirmed development?

Researchers have reported Claude Code-related attack paths involving MCP routing, local config files, repository hooks and token exposure. The Check Point-reported CVEs are described as patched; the Mitiga token-theft path is described as still open.

Does this mean Claude Code itself was breached?

The provided material does not say Anthropic was breached. The reported risks involve local developer environments, malicious packages, repo hooks and how authenticated agent traffic can be redirected.

What should developers check first?

Developers should update Claude Code, inspect ~/.claude.json for unfamiliar MCP endpoints or proxy settings, review install scripts from recent npm packages and audit connected service permissions.

Why are MCP tokens a high-value target?

MCP integrations can connect an agent to code hosts, issue trackers, documents and internal services. If tokens are long-lived and broadly scoped, one stolen credential can expose several systems.

What remains unknown?

The provided material does not confirm the number of affected users or active compromises. It is also unclear whether Anthropic will add a product-level fix for the Mitiga-reported chain.

Source: Thorsten Meyer AI

You May Also Like

Mobilisiert, nicht ausgegeben: Was von Europas €200-Milliarden-KI-Offensive übrig bleibt

The EU’s €200 billion InvestAI push depends heavily on private capital that has not yet been committed, raising questions about its impact.

A Frontier AI Model Just Went Dark for 18 Days. The Kill-Switch Is Real Now.

Commerce ended controls on Anthropic’s Fable 5 and Mythos 5 after 18 days, but the release terms point to a new gate for frontier AI.

Build vs Buy a Prebuilt AI Workstation

Deciding between building or buying your AI workstation? Discover the cost, speed, and performance tradeoffs — and why 2026 changed everything.

TIL that when Caesars Palace opened, they had cocktail waitresses in Greco-Roman wigs greeting people by saying “Welcome to Caesars Palace, I am your slave”

Discover the history of Caesars Palace’s opening, including its iconic Greco-Roman-themed cocktail waitresses and their role in its lavish debut in 1966.