TL;DR

A June 2026 security report links three Claude Code risk paths to local config changes, MCP integrations, repo hooks and fake GitHub lures. Check Point’s reported CVEs are described as patched, while Mitiga Labs’ npm-based token-theft chain is described as live and outside Anthropic’s patch scope.

Security researchers have disclosed Claude Code attack paths that can turn local configuration files, repository hooks and Model Context Protocol integrations into routes for token theft or code execution, according to a June 2026 Thorsten Meyer AI dispatch citing Mitiga Labs, Check Point Research, SecurityWeek and other sources. The findings matter because coding agents often run on developer machines with access to source code, SaaS accounts and internal systems.

The report describes three related disclosures. Mitiga Labs reported a still-live chain in which a malicious npm package can rewrite ~/.claude.json, reroute Claude Code’s authenticated MCP traffic and intercept long-lived OAuth tokens for connected services such as GitHub, Jira and Confluence.

Check Point Research reported two vulnerabilities: CVE-2025-59536, described as remote code execution through repository hooks, and CVE-2026-21852, described as API-key exfiltration. The source material says Anthropic patched those issues after disclosure.

SecurityWeek and all-about-security are cited for reporting a separate source-leak issue that became a lure for fake GitHub repositories pushing malware through social engineering. The available material does not establish that all three strands were used together in a single campaign.

ThorstenMeyerAI.com · AI Dispatch ● Reality Check · Dev-Tool Security · June 2026

Claude Code · MCP · Agentic Dev-Tool Security

Your Coding Agent Is an Attack Surface

● Security

Three disclosed flaws turned Claude Code’s local config and MCP integrations into silent paths for token theft and code execution. Some fixes are yours to make — and the lesson applies to every agentic dev tool, not one.

01 Three disclosures, one theme

The config files most teams treat as passive metadata are, in practice, active execution paths.

Mitiga Labs

Silent token theft

A malicious npm package rewrites ~/.claude.json, reroutes MCP traffic, and intercepts long-lived OAuth tokens for GitHub, Jira, Confluence.

● Live · no patch

Check Point Research

Code execution before the prompt

CVE-2025-59536 (RCE via repo hooks) and CVE-2026-21852 (API-key exfiltration). Just cloning an untrusted repo was enough.

● Patched

SecurityWeek · all-about-security

Source leak → malware lure

A packaging error exposed unencrypted source. Now fuel for fake GitHub repos pushing trojans via social engineering.

● Active lure

02 The token-theft chain

How the unpatched Mitiga path works — at the level its researchers published. (Defensive overview, no exploit detail.)

01 · bait

A malicious npm package poses as a harmless utility.

→

02 · rewrite

A post-install hook silently rewrites ~/.claude.json.

→

03 · reroute

Claude Code’s authenticated MCP traffic is redirected to attacker infrastructure.

→

04 · siphon

Long-lived OAuth tokens for every connected SaaS are captured in transit.

And it’s invisible: the source IP traces to Anthropic’s egress range, the user is real, the session is valid. Nothing in the logs is wrong — and nothing is right.

03 Why this is worse than browser phishing

Adversary-in-the-Middle

Targets a browser session

Slips between you and the service, waits for login, lifts the session token. Bad — but bounded to the browser.

A coding agent

Sits next to everything that matters

Source code, internal APIs, cloud infrastructure, production keys. A stolen agent token reaches further than a stolen browser session ever could.

Passive metadata → active execution path

config file

→

traffic router

repo hook

→

pre-consent RCE

env variable

→

token redirect

MCP token

→

SaaS access

04 The defense playbook

For teams running Claude Code — or any coding agent — in production.

Patch & update first

Current versions fix the Check Point CVEs — the cheapest win.

Watch ~/.claude.json

Treat new MCP endpoints, proxy addresses, or OAuth-refresh changes as an alarm.

Gate npm post-install hooks

Review what runs at install time — across all dev tools, not just this one.

Clean the host, then rotate

Rotation alone won’t break the chain if the hook remains. Remove it first, then rotate tokens.

Least-privilege MCP

Narrow scopes; audit via /permissions; disconnect what you don’t use.

Sandbox & verify provenance

Isolate sessions, keep prod secrets off the workstation, distrust unfamiliar repos.

05 The honest read

◆ Credit where due

Anthropic patched the Check Point CVEs fast — responsible disclosure worked. The npm post-install hook is an industry-wide supply-chain risk class, not Anthropic’s invention.

⬛ The uncomfortable part

Anthropic calls the Mitiga chain “out of scope.” But consenting to install a package isn’t consenting to having your SaaS credentials intercepted — and plaintext tokens in the router file turn a generic risk into a specific one.

Don’t wait for a patch that may never come. Treat the agent’s config as production code — because it is.

Independent commentary, produced with AI assistance under human editorial oversight; the views are the author’s own and may change. This is security analysis and opinion, not professional security, legal, or financial advice; verify specifics against vendor advisories and the primary research before acting. It describes publicly disclosed vulnerabilities at the level reported by their researchers and is for defensive purposes only — no exploit code or attack instructions. Sources: Computerwoche (Anjali Gopinadhan Nair), Mitiga Labs, Check Point Research, SecurityWeek, all-about-security, and Anthropic’s documentation, read as of June 2026. References to companies, researchers, and CVEs are factual and analytical and imply no affiliation or endorsement.

Agent Tokens Reach Farther

The risk extends beyond ordinary browser phishing because a coding agent can sit next to source repositories, internal APIs, cloud tooling and production credentials. If an attacker obtains a valid agent-connected token, activity may appear to come from a real user and approved infrastructure rather than from a new suspicious login.

The report’s core warning is that files many teams treat as passive settings can become active routes for commands and credentials. That changes how developer workstations, package installs and MCP connectors need to be monitored.

Software Security for Developers

As an affiliate, we earn on qualifying purchases.

Three Disclosures Around Claude Code

Claude Code is Anthropic’s agentic coding tool. Developers can connect it to services through MCP and other integrations, giving the agent access to tools and data needed for software work.

The Thorsten Meyer AI dispatch frames the disclosures as a wider category risk for agentic developer tools, not a claim that Claude Code is uniquely unsafe. It credits Anthropic with patching the Check Point issues, while saying the Mitiga chain remains unresolved because Anthropic treats the npm post-install path as outside scope.

“silent token theft”
— Mitiga Labs

Malware Analyst's Cookbook and DVD: Tools and Techniques for Fighting Malicious Code

As an affiliate, we earn on qualifying purchases.

Evidence Gaps Remain Public

The available material does not say whether any company has confirmed a breach through the Mitiga chain, how widely malicious packages have been used, or whether Anthropic will change its scope decision. It also does not provide public telemetry showing how many developers run Claude Code with long-lived SaaS tokens exposed through MCP-related configuration.

The fake-repository malware activity is described as active in the source material, but the scale, victims and attribution are not established there.

Getting Started with OpenSSF Scorecard and Allstar: an essential guide to demystifying repository security (Fewer Incidents)

As an affiliate, we earn on qualifying purchases.

Patch Hosts Before Rotation

Teams using Claude Code are being advised to update to current versions, inspect ~/.claude.json, and review MCP endpoints, proxy addresses and OAuth refresh settings. The guidance also calls for review of npm post-install hooks before package use.

If compromise is suspected, the source says teams should clean the host first and then rotate tokens, because rotating credentials without removing the hook may leave the route in place. Teams are also told to narrow MCP permissions, disconnect unused services, sandbox coding-agent sessions and keep production secrets off developer workstations where possible.

Cloud Native Data Security with OAuth: A Scalable Zero Trust Architecture

As an affiliate, we earn on qualifying purchases.

Key Questions

Was Claude Code itself confirmed to be breached?

The source material does not report a confirmed breach of Anthropic’s systems. It describes disclosed attack paths affecting developer environments, local configuration and connected services.

Is there a patch for the reported issues?

The Check Point Research vulnerabilities are described as patched. The Mitiga Labs token-theft chain is described as live because Anthropic treated the npm post-install path as outside scope.

What should teams check first?

Teams should update Claude Code, inspect ~/.claude.json, review MCP endpoints and OAuth settings, and audit package install hooks that can run code on developer machines.

Does this affect only Claude Code?

The disclosures focus on Claude Code, but the report says the same pattern can apply to other agentic developer tools that combine local execution, connector tokens and broad workspace access.

Source: Thorsten Meyer AI

Your Coding Agent Is an Attack Surface: The Claude Code Security Reckoning

Up next

7 Best Gaming Laptop Prime Day Deals for 2026

Author

The Earlier Stuff Team

Your Coding Agent Is an Attack Surface