TL;DR

Security researchers have documented three Claude Code attack paths involving local configuration, MCP integrations and repository hooks. Check Point-reported flaws have been patched, while Mitiga Labs says a token-theft chain tied to npm post-install behavior remains live because Anthropic treated it as out of scope.

Security researchers have documented three Claude Code security issues that turn local configuration files, Model Context Protocol integrations and repository hooks into paths for token theft or code execution, raising fresh concerns about how agentic coding tools operate on developer machines.

The disclosures cited by Thorsten Meyer AI, Computerwoche commentary by cybersecurity engineer Anjali Gopinadhan Nair, Mitiga Labs, Check Point Research, SecurityWeek and all-about-security describe a shared pattern: files and integrations often treated as passive developer tooling can affect execution, network routing and authentication.

Check Point Research reported CVE-2025-59536, described as remote code execution through repository hooks, and CVE-2026-21852, described as API-key exfiltration. According to the source material, Anthropic patched the reported Check Point issues after responsible disclosure.

Mitiga Labs separately described a token-theft chain in which a malicious npm package could alter the local Claude Code configuration file, reroute authenticated MCP traffic and intercept long-lived OAuth tokens for connected services such as GitHub, Jira and Confluence. The source material says Anthropic considered that chain out of scope, leaving mitigation to users and teams.

ThorstenMeyerAI.com · AI Dispatch ● Reality Check · Dev-Tool Security · June 2026

Claude Code · MCP · Agentic Dev-Tool Security

Your Coding Agent Is an Attack Surface

Q: What should developers check first?

Developers should update Claude Code, inspect ~/.claude.json for unfamiliar MCP endpoints or proxy changes, review npm post-install behavior and narrow OAuth scopes for connected services.

● Security

Three disclosed flaws turned Claude Code’s local config and MCP integrations into silent paths for token theft and code execution. Some fixes are yours to make — and the lesson applies to every agentic dev tool, not one.

01 Three disclosures, one theme

The config files most teams treat as passive metadata are, in practice, active execution paths.

Mitiga Labs

Silent token theft

A malicious npm package rewrites ~/.claude.json, reroutes MCP traffic, and intercepts long-lived OAuth tokens for GitHub, Jira, Confluence.

● Live · no patch

Check Point Research

Code execution before the prompt

CVE-2025-59536 (RCE via repo hooks) and CVE-2026-21852 (API-key exfiltration). Just cloning an untrusted repo was enough.

● Patched

SecurityWeek · all-about-security

Source leak → malware lure

A packaging error exposed unencrypted source. Now fuel for fake GitHub repos pushing trojans via social engineering.

● Active lure

02 The token-theft chain

How the unpatched Mitiga path works — at the level its researchers published. (Defensive overview, no exploit detail.)

01 · bait

A malicious npm package poses as a harmless utility.

→

02 · rewrite

A post-install hook silently rewrites ~/.claude.json.

→

03 · reroute

Claude Code’s authenticated MCP traffic is redirected to attacker infrastructure.

→

04 · siphon

Long-lived OAuth tokens for every connected SaaS are captured in transit.

And it’s invisible: the source IP traces to Anthropic’s egress range, the user is real, the session is valid. Nothing in the logs is wrong — and nothing is right.

03 Why this is worse than browser phishing

Adversary-in-the-Middle

Targets a browser session

Slips between you and the service, waits for login, lifts the session token. Bad — but bounded to the browser.

A coding agent

Sits next to everything that matters

Source code, internal APIs, cloud infrastructure, production keys. A stolen agent token reaches further than a stolen browser session ever could.

Passive metadata → active execution path

config file

→

traffic router

repo hook

→

pre-consent RCE

env variable

→

token redirect

MCP token

→

SaaS access

04 The defense playbook

For teams running Claude Code — or any coding agent — in production.

Patch & update first

Current versions fix the Check Point CVEs — the cheapest win.

Watch ~/.claude.json

Treat new MCP endpoints, proxy addresses, or OAuth-refresh changes as an alarm.

Gate npm post-install hooks

Review what runs at install time — across all dev tools, not just this one.

Clean the host, then rotate

Rotation alone won’t break the chain if the hook remains. Remove it first, then rotate tokens.

Least-privilege MCP

Narrow scopes; audit via /permissions; disconnect what you don’t use.

Sandbox & verify provenance

Isolate sessions, keep prod secrets off the workstation, distrust unfamiliar repos.

05 The honest read

◆ Credit where due

Anthropic patched the Check Point CVEs fast — responsible disclosure worked. The npm post-install hook is an industry-wide supply-chain risk class, not Anthropic’s invention.

⬛ The uncomfortable part

Anthropic calls the Mitiga chain “out of scope.” But consenting to install a package isn’t consenting to having your SaaS credentials intercepted — and plaintext tokens in the router file turn a generic risk into a specific one.

Don’t wait for a patch that may never come. Treat the agent’s config as production code — because it is.

Independent commentary, produced with AI assistance under human editorial oversight; the views are the author’s own and may change. This is security analysis and opinion, not professional security, legal, or financial advice; verify specifics against vendor advisories and the primary research before acting. It describes publicly disclosed vulnerabilities at the level reported by their researchers and is for defensive purposes only — no exploit code or attack instructions. Sources: Computerwoche (Anjali Gopinadhan Nair), Mitiga Labs, Check Point Research, SecurityWeek, all-about-security, and Anthropic’s documentation, read as of June 2026. References to companies, researchers, and CVEs are factual and analytical and imply no affiliation or endorsement.

Agent Tokens Reach Developer Systems

The findings matter because coding agents can sit close to source code, internal services, cloud credentials and production workflows. A compromised browser session may expose one service; a compromised agent configuration can affect several connected developer tools if permissions are broad.

The reported Mitiga chain is also difficult for ordinary monitoring to spot. The activity can appear to come from a real user using a valid session, while the source material says traffic may still appear tied to Anthropic infrastructure. That makes prevention, configuration monitoring and token hygiene more important than after-the-fact log review alone.

Docker: Practical Guide for Developers and DevOps Teams – Unlock the Power of Containerization: Skills for Building, Securing, and Orchestrating with Docker (Rheinwerk Computing)

As an affiliate, we earn on qualifying purchases.

MCP Expands The Trust Boundary

Claude Code and similar agentic developer tools are designed to act inside local development environments and connect to outside services. MCP integrations extend that reach by allowing the agent to interact with third-party systems, often using persistent credentials.

The same design that makes the tool useful also expands its trust boundary. Local configuration files can define where traffic goes, repository hooks can run before a user interacts with a prompt, and package-install scripts can alter a workstation. The disclosures do not mean all Claude Code users were compromised; they show how the attack surface changes when coding agents are granted broad local and SaaS access.

“The config files most teams treat as passive metadata are, in practice, active execution paths.”
— Thorsten Meyer AI commentary

McAfee Total Protection | 3 Device | Antivirus Internet Security Software | VPN, Password Manager, Dark Web Monitoring | 1 Year Subscription | Download Code

MCAFEE TOTAL PROTECTION IS ALL-IN-ONE PROTECTION — delivering award-winning antivirus for 3 devices, with identity monitoring and VPN

As an affiliate, we earn on qualifying purchases.

Open Questions On Exposure

It is not clear from the provided source material how many users or organizations were affected, whether the Mitiga-described path has been exploited at scale, or whether Anthropic plans any product-level change for that chain. It is also unclear which environments are most exposed, because risk depends on installed packages, local configuration, connected MCP services and token scopes.

The reported SecurityWeek and all-about-security thread also describes a source leak that may have enabled fake GitHub repositories and malware lures, but the source material does not establish how many users encountered those lures or whether they directly compromised Claude Code installations.

Getting Started with OpenSSF Scorecard and Allstar: an essential guide to demystifying repository security (Fewer Incidents)

As an affiliate, we earn on qualifying purchases.

Teams Must Harden Agent Workstations

For now, the next step for teams using Claude Code is operational rather than theoretical: update to current versions, review local configuration files, monitor MCP endpoints, restrict token scopes, audit connected services and treat package-install scripts as a workstation security risk.

Security teams should remove any malicious hooks or package changes before rotating tokens, because rotation alone would not stop a live interception path. Vendors of coding agents are likely to face more pressure to define which local configuration and connector risks they will patch, warn on or leave to customers.

OAuth 2.0 Cookbook: Protect your web applications using Spring Security

As an affiliate, we earn on qualifying purchases.

Key Questions

Was Claude Code hacked?

The source material does not say Claude Code itself was broadly hacked. It describes disclosed attack paths affecting local configuration, MCP traffic and repository hooks, with some issues patched and one chain left to user-side mitigation.

Which issues were patched?

According to the source material, Anthropic patched the Check Point-reported issues identified as CVE-2025-59536 and CVE-2026-21852.

What remains unpatched?

Mitiga Labs described a token-theft path involving a malicious npm package and changes to the local Claude Code configuration. The source material says Anthropic treated that chain as out of scope.

What should developers check first?

Developers should update Claude Code, inspect ~/.claude.json for unfamiliar MCP endpoints or proxy changes, review npm post-install behavior and narrow OAuth scopes for connected services.

Does this apply only to Claude Code?

No. The reported issues center on Claude Code, but the larger risk applies to agentic developer tools that can act locally, connect to SaaS services and use persistent credentials.

Source: Thorsten Meyer AI

Your Coding Agent Is an Attack Surface: The Claude Code Security Reckoning

Up next

The Safety Card, Played From Every Side: David Sacks, Anthropic, and the Fable Standoff

Author

Deep Intellica Team

Share article

Your Coding Agent Is an Attack Surface

Agent Tokens Reach Developer Systems

Docker: Practical Guide for Developers and DevOps Teams – Unlock the Power of Containerization: Skills for Building, Securing, and Orchestrating with Docker (Rheinwerk Computing)

MCP Expands The Trust Boundary

McAfee Total Protection | 3 Device | Antivirus Internet Security Software | VPN, Password Manager, Dark Web Monitoring | 1 Year Subscription | Download Code

Open Questions On Exposure

Getting Started with OpenSSF Scorecard and Allstar: an essential guide to demystifying repository security (Fewer Incidents)

Teams Must Harden Agent Workstations

OAuth 2.0 Cookbook: Protect your web applications using Spring Security