TL;DR
Researchers and security writers have tied three Claude Code issues to a common risk: local agent configuration and MCP connectors can become active paths for token theft or code execution. Anthropic patched two Check Point CVEs, while a Mitiga Labs token-theft chain is described in the source material as still live and treated by Anthropic as out of scope.
Security researchers have reported three Claude Code security issues that could turn local configuration, MCP integrations and repository hooks into paths for token theft or code execution, a development that matters because coding agents often sit next to source code, SaaS accounts and developer credentials.
According to the Thorsten Meyer AI dispatch, Mitiga Labs described a token-theft chain in which a malicious npm package uses a post-install hook to rewrite ~/.claude.json, redirect authenticated Model Context Protocol traffic and capture long-lived OAuth tokens for services such as GitHub, Jira and Confluence. The dispatch says that path remains live and has no product patch.
Check Point Research reported two separate flaws: CVE-2025-59536, described as remote code execution through repository hooks, and CVE-2026-21852, described as API-key exfiltration. The source material says Anthropic patched those issues after responsible disclosure.
SecurityWeek and all-about-security also reported that a packaging error exposed unencrypted source code, which the dispatch says is now being used in fake GitHub repositories and social-engineering lures that push malware. The degree of real-world uptake by attackers is not quantified in the material provided.
Your Coding Agent Is an Attack Surface
● SecurityThree disclosed flaws turned Claude Code’s local config and MCP integrations into silent paths for token theft and code execution. Some fixes are yours to make — and the lesson applies to every agentic dev tool, not one.
The config files most teams treat as passive metadata are, in practice, active execution paths.
~/.claude.json, reroutes MCP traffic, and intercepts long-lived OAuth tokens for GitHub, Jira, Confluence.How the unpatched Mitiga path works — at the level its researchers published. (Defensive overview, no exploit detail.)
~/.claude.json.For teams running Claude Code — or any coding agent — in production.
~/.claude.json/permissions; disconnect what you don’t use.Anthropic patched the Check Point CVEs fast — responsible disclosure worked. The npm post-install hook is an industry-wide supply-chain risk class, not Anthropic’s invention.
Anthropic calls the Mitiga chain “out of scope.” But consenting to install a package isn’t consenting to having your SaaS credentials intercepted — and plaintext tokens in the router file turn a generic risk into a specific one.
Independent commentary, produced with AI assistance under human editorial oversight; the views are the author’s own and may change. This is security analysis and opinion, not professional security, legal, or financial advice; verify specifics against vendor advisories and the primary research before acting. It describes publicly disclosed vulnerabilities at the level reported by their researchers and is for defensive purposes only — no exploit code or attack instructions. Sources: Computerwoche (Anjali Gopinadhan Nair), Mitiga Labs, Check Point Research, SecurityWeek, all-about-security, and Anthropic’s documentation, read as of June 2026. References to companies, researchers, and CVEs are factual and analytical and imply no affiliation or endorsement.
Agent Tokens Reach Developer Systems
The disclosures point to a security problem that differs from ordinary browser phishing. A stolen browser session is usually tied to one web app, while a coding agent may have access to repositories, internal APIs, cloud tooling and project secrets through local files and MCP connectors.
The Mitiga scenario matters because logs may show a real user, a valid session and traffic that appears to come through expected infrastructure, according to the dispatch. That can make detection harder for teams that rely mainly on login anomalies or unfamiliar source IP addresses.
Advanced Ghidra Scripting Cookbook: Python Automation for Reverse Engineering, Malware Analysis, Headless Processing, and Rapid Binary Triage (Morden developer toolkit)
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Disclosures Center on Claude Code
Claude Code is part of a wider shift toward agentic developer tools that can read repositories, call tools and act on a workstation. The same design that lets an agent automate work also means local config files, environment variables, repo hooks and MCP endpoints can carry security weight.
The source material credits Anthropic with patching the Check Point CVEs quickly and frames the npm post-install hook risk as a supply-chain class that is not unique to Anthropic. It also says Anthropic has treated the Mitiga token-routing chain as out of scope, leaving mitigation to teams using the tool.
“The config files most teams treat as passive metadata are, in practice, active execution paths.”
— Thorsten Meyer AI dispatch
Cyber Warfare: Techniques, Tactics and Tools for Security Practitioners
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Patch Boundaries Remain Disputed
It is not yet clear from the provided material how many organizations, if any, have been compromised through the Mitiga chain or the fake-repository malware lures. The material also does not quantify how often Claude Code deployments use long-lived OAuth tokens or broad MCP scopes.
The main disputed point is responsibility for the token-routing risk. The dispatch argues that consenting to install a package is not consent to have SaaS credentials intercepted, while Anthropic is described as treating that path as outside its patch scope.
Cloud Native Data Security with OAuth: A Scalable Zero Trust Architecture
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Teams Move to Harden Agents
Teams using Claude Code or similar tools are being urged in the source material to update to patched versions, audit ~/.claude.json, watch for new MCP endpoints or proxy settings, and review npm post-install hooks before trusting a development machine.
The dispatch recommends removing any malicious hook or host compromise before rotating tokens, then narrowing MCP scopes, auditing permissions and keeping production secrets off developer workstations where possible.
developer credential protection tools
As an affiliate, we earn on qualifying purchases.
As an affiliate, we earn on qualifying purchases.
Key Questions
What is the actual news here?
The news is that recent research and security reporting have linked Claude Code configuration, MCP integrations and repo hooks to token-theft and code-execution risks.
Are all the Claude Code issues patched?
No. The source material says Anthropic patched the two Check Point CVEs, but the Mitiga Labs token-theft chain is described as live and unpatched.
What should teams check first?
Teams should update Claude Code, inspect ~/.claude.json, review MCP endpoints and proxy settings, and examine npm post-install hooks before rotating affected tokens.
Does this only affect Claude Code?
The reports focus on Claude Code, but the risk pattern applies to coding agents that combine local machine access, SaaS credentials, repository automation and third-party tool connectors.
Source: Thorsten Meyer AI
