Agentic AI
,
Synthetic Intelligence & Machine Studying
,
Subsequent-Era Applied sciences & Safe Growth
Malicious npm Package deal Lets Attackers Seize Refreshed Tokens
Rotating a compromised credential is meant to finish an assault, however a brand new proof-of-concept focusing on Claude Code reveals the way it restarted one.
See Additionally: AI Agents Introduce a New Insider Threat Model
Mitiga security researcher Idan Cohen described a five-step assault chain that hijacks the entry credentials connecting Claude Code, Anthropic’s command-line AI coding instrument, to exterior companies comparable to Jira, Confluence and GitHub. The assault doesn’t require a software program bug, privilege escalation or new vulnerability. Hackers simply require one malicious npm bundle set up and a configuration file to hold out the assault.
The configuration file described within the report, ~/.claude.json, is a settings file within the residence listing of whoever is logged in, which means each developer working Claude Code has their very own copy on their machine. It serves as Claude Code’s grasp management doc by storing credentials that authorize the instrument to behave on exterior companies on a developer’s behalf, governing whether or not Claude Code asks the person earlier than executing shell instructions, and figuring out which instruments the agent is permitted to run. Any course of working because the logged-in person can edit it with out particular system privileges.
Cohen mentioned that when he started testing, it shocked him that when he used Claude to edit the .json file, the instrument did so “with out hesitating.”
“I anticipated pushback, particularly on a file Claude itself depends upon. It did not occur,” he advised ISMG.
Safety tooling tends to deal with credential storage and belief configuration as separate issues with separate mitigations. In ~/.claude.json, they’re the identical downside. Software approval, belief state and the routing addresses that decide the place Claude Code sends its authorization credentials are all current in a single file, editable by the identical person working the agent. “The mismatch between what the file controls and what it takes to switch it’s the hole,” Cohen mentioned.
Claude Code connects to exterior companies via mannequin context protocol, an open customary that lets AI instruments name out to exterior software program methods. When a developer authorizes Claude Code to entry a type of companies, the instrument receives a bearer token, a long-lived credential hooked up to each subsequent request. That token is saved in plaintext inside ~/.claude.json and inherits no matter permissions builders permitted after they first linked the service. As soon as the token is issued, its scope is mounted till it expires or is revoked.
Cohen’s assault chain begins with a malicious npm bundle designed to look respectable sufficient to outlive an informal evaluation. The bundle comprises a script that runs robotically on set up, a mechanism safety researchers have flagged as a persistent provide chain threat, with roughly 30 CVEs filed in opposition to MCP infrastructure in simply the primary two months of 2026.
The script targets frequent developer listing paths to maximise its attain, pre-approves belief in these directories so Claude Code stops prompting the person for affirmation, then rewrites the MCP server deal with in ~/.claude.json to level at a proxy below the attacker’s management. From that time ahead, each time Claude Code connects a linked service, the bearer token within the authorization header passes via the attacker’s infrastructure. The upstream supplier sees a sound token arriving from Anthropic’s community, which is precisely the place it expects Claude Code visitors to originate.
The path successfully ends there. “You possibly can replay the token, use it outdoors the unique MCP context, and the platform has nothing significant to detect on,” Cohen mentioned. The supplier sees an authenticated person, a sound token and an AI-assisted name sample, and this mix just isn’t sufficient to tell apart respectable use from abuse.
The subsequent steps make the chain sturdy. The malicious script reasserts the rewritten configuration each time Claude Code hundreds. When a safety crew rotates the stolen token – the usual response to a suspected credential theft – the subsequent authorization handshake runs via the proxy once more and the attacker captures a recent token. “Token rotation reinforces the compromise as a result of the proxy remains to be within the loop,” Cohen mentioned. “The subsequent refresh token comes via the attacker too.”
Transferring token storage to a system keychain, the safe credential storage constructed into most working methods, wouldn’t break the chain.
The assault capabilities as a result of Claude Code has no mechanism to confirm that an MCP server deal with matches the one the person initially approved. Cohen’s proposed treatment contains signed server identities pinned on first use, refresh tokens sure to a server fingerprint, full re-authorization triggered by any endpoint change and shopper attestation, a course of by which the software program proves it’s working in an unmodified state earlier than being granted entry. “Signal MCP server identities and validate them at session begin, and the file turns into neutered. Even editable, you may’t redirect anyplace.”
Anthropic reviewed the report and mentioned the problem was out of scope as a result of the assault would require an attacker to have already got code execution on a developer’s machine. Cohen agreed that it is a actual prerequisite, however mentioned that compromising an AI agent is completely different from a typical endpoint breach. A traditional compromise could expose information and setting variables on one machine, whereas compromising an AI agent’s configuration might give an attacker authenticated entry to each linked service the agent is allowed to make use of.
“Distributors are treating AI agent vulnerabilities like unusual CLI instrument bugs,” Cohen mentioned. “However as soon as an attacker will get in, the affect may be very completely different. The extra companies an AI agent is linked to, the bigger the potential blast radius turns into.”
The ultimate component of the assault can also be the toughest to detect via standard monitoring. As soon as attackers maintain a captured token, they will instruct Claude to make the API calls. Each ensuing request originates from Anthropic’s personal infrastructure, carries the person’s authorization and produces exercise that appears similar to regular AI-assisted work. “As soon as the allowed instrument is populated and the belief flags are flipped, there’s nothing left in Claude to push again on what the attacker is doing,” Cohen mentioned.
“It’s not detection-evasion,” Cohen mentioned. “It’s detection-elimination. The platform just isn’t malicious. It’s not compromised. It’s doing precisely what it’s designed to do, executing user-authorized actions on user-authorized integrations. The attacker simply slipped into the user-authorized definition with out anybody noticing.”