"I expected pushback, especially on a file Claude itself depends on. It didn't happen," Idan Cohen told ISMG — and that surprise sits at the center of a proof-of-concept attack that can turn routine token rotation into a continuous, automated compromise.
How Idan Cohen's five-step attack chain works
Mitiga researcher Idan Cohen laid out a compact, five-step chain that requires no zero-day, privilege escalation, or novel vulnerability — only one malicious npm package and the ability to run code on a developer's machine. The package contains a script that runs automatically on installation and targets common developer directory paths. The installer script pre-approves trust in those directories so Claude Code stops prompting the user, rewrites the model context protocol (MCP) server address in ~/.claude.json to point at an attacker-controlled proxy, and persists that change each time Claude Code loads.
From that point on, every authorization handshake between Claude Code and a linked service (Jira, Confluence, GitHub, and others named in the report) routes through the proxy. The upstream provider sees a valid bearer token arriving from Anthropic's network — the expected origin — and the attacker captures the token as it transits. Security researchers have flagged automatic installation scripts as a persistent supply-chain risk, with roughly 30 CVEs filed against MCP infrastructure in just the first two months of 2026, the report notes.
~/.claude.json, MCP, and why a single file matters
The attack centers on ~/.claude.json, the per-user settings file Claude Code stores in each developer's home directory. Cohen describes it as the agent's "master control document." It holds bearer tokens in plaintext, the trust flags that determine whether Claude Code prompts before executing, and the routing addresses that tell the agent where to send credentials. Any process running as the logged-in user can edit that file without special system privileges.
Because token storage, trust configuration and routing are all collapsed into one editable file, the report argues, a mismatch exists between what ~/.claude.json controls and what it takes to modify it. When developers authorize Claude Code to access an external service, the tool receives a bearer token whose scope is fixed until expiration or revocation; that token lives in plaintext inside the same document attackers can rewrite.
Why rotating credentials can make the problem worse
Cohen's demonstration shows token rotation — the standard incident response — can actually reinforce the compromise. The malicious script reasserts the rewritten MCP endpoint each time Claude Code loads, so when a security team rotates a suspected token, the next authorization request routes through the attacker's proxy and yields a fresh token for the attacker to capture. "Token rotation reinforces the compromise because the proxy is still in the loop," Cohen said. "The next refresh token comes through the attacker too."
Moving token storage to a system keychain, the secure credential store built into many operating systems, would not break the chain, the report warns. Nor would conventional monitoring reliably detect the misuse: requests initiated by the attacker via the compromised setup originate from Anthropic's infrastructure, carry valid user authorizations, and look identical to normal AI-assisted activity. "It is not detection-evasion," Cohen said. "It is detection-elimination. The platform is not malicious. It is not compromised. It is doing exactly what it is designed to do, executing user-authorized actions on user-authorized integrations."
Anthropic's response and Cohen's technical mitigations
Anthropic reviewed the report and characterized the attack as out of scope on the grounds that it requires an attacker to already have code execution on the developer's machine. Cohen agreed that local code execution is a prerequisite but argued the impact differs qualitatively: compromising an AI agent's configuration can grant authenticated access to every connected service the agent is allowed to use, rather than exposing only the files and environment of a single endpoint. "Vendors are treating AI agent vulnerabilities like ordinary CLI tool bugs," he said, "but once an attacker gets in, the impact is very different."
Cohen's recommended technical mitigations are precise: sign MCP server identities and pin them on first use; bind refresh tokens to a server fingerprint; require full re-authorization when any endpoint changes; and add client attestation so the software proves it is running in an unmodified state before being granted access. "Sign MCP server identities and validate them at session start, and the file becomes neutered. Even editable, you can't redirect anywhere," he said.
What this means for developers, security teams, and vendors
- Developers: Be cautious with npm packages that run scripts on install and with pre-approvals in common directories; the report shows a single editable ~/.claude.json can be used to reroute credentials.
- Security teams and enterprises: Token rotation alone may be insufficient and can renew an attacker's access if the agent's endpoint routing remains compromised; defenders should consider endpoint-binding or reauthorization controls in addition to rotation.
- Vendors (agent and platform providers): Treat agent configuration and MCP routing as first-class security controls — add server identity binding, endpoint-change reauthorization, and client attestation rather than assuming a local code-execution prerequisite limits impact.
The proof-of-concept lays bare a narrow but powerful attack surface: a single editable configuration file, an automatic-install script in a widely used package manager, and a protocol that accepts bearer tokens without endpoint binding. Cohen's fixes are technical and specific; until they are adopted, rotation may not only fail to stop abuse but actively replenish it. For defenders, the takeaway is blunt: securing credentials requires securing the routing and trust decisions that hand them out.
