Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP Hijacking - SecurityWeek

Detailed Analysis

A security vulnerability affecting Anthropic's Claude Code tool has been identified and reported by SecurityWeek, in which OAuth authentication tokens can be exfiltrated through a technique known as Model Context Protocol (MCP) hijacking. MCP, an open standard developed by Anthropic and increasingly adopted across the AI industry, enables large language models to connect with external tools, data sources, and services. In this attack vector, a malicious or compromised MCP server can intercept the OAuth tokens that Claude Code uses to authenticate with external services, effectively granting attackers unauthorized access to those connected accounts and systems. The "stealthy" characterization of the technique suggests the attack can proceed without triggering obvious alerts, making detection by both users and security tooling particularly difficult.

The significance of this vulnerability lies in the privileged position that agentic AI coding tools like Claude Code occupy within developer workflows. Claude Code is designed to operate with elevated access to codebases, terminals, APIs, and third-party services, meaning that stolen OAuth credentials could expose not just a single application but an entire chain of connected developer infrastructure. Unlike traditional software vulnerabilities that target a single attack surface, MCP-based attacks exploit the very integration layer that makes AI assistants powerful — the ability to reach across multiple tools simultaneously. This transforms a token theft incident from a localized breach into a potential supply chain or lateral-movement risk.

The disclosure fits into a rapidly expanding category of security research focused on the attack surfaces introduced by the AI agent ecosystem. As MCP has gained adoption across competing AI platforms — including implementations by Microsoft, Google, and various open-source projects — security researchers have begun systematically probing the protocol for weaknesses. Prior work has identified prompt injection attacks, tool poisoning, and server spoofing as related threat vectors within MCP environments. The OAuth token hijacking technique adds credential theft to this growing taxonomy, underscoring that the security model for AI agents must account for threats not just to the model itself, but to the orchestration infrastructure surrounding it.

Anthropic faces the dual challenge common to platform developers who open their ecosystems to third-party integrations: the same extensibility that drives adoption also expands the attack surface. OAuth token security in particular has historically been a weak point across web and API ecosystems long before AI agents entered the picture, but the automated, high-trust nature of AI coding assistants amplifies the consequences of credential compromise. Enterprises deploying Claude Code in production environments will likely need to apply the principle of least privilege more aggressively to MCP server connections, audit which external services are authorized, and monitor for anomalous token usage patterns as mitigations while any protocol-level fixes are developed and deployed.