Claude Code Attack Persists After Token Rotation

Agentic AI , Artificial Intelligence & Machine Learning , Next-Generation Technologies & Secure Development Claude Code Attack Persists After Token Rotation Malicious npm Package Lets Attackers Capture Refreshed Tokens Rashmi Ramesh (rashmiramesh_) • May 13, 2026     Credit Eligible Get Permission Image: Shutterstock Rotating a compromised credential is supposed to end an attack, but a new proof-of-concept targeting Claude Code shows how it restarted one. See Also: AI Agents Introduce a New Insider Threat Model Mitiga security researcher Idan Cohen described a five-step attack chain that hijacks the access credentials connecting Claude Code, Anthropic's command-line AI coding tool, to external services such as Jira, Confluence and GitHub. The attack does not require a software bug, privilege escalation or new vulnerability. Hackers just require one malicious npm package installation and a configuration file to carry out the attack. The configuration file described in the report, ~/.claude.json, is a settings record in the home directory of whoever is logged in, meaning every developer running Claude Code has their own copy on their machine. It serves as Claude Code's master control document by storing credentials that authorize the tool to act on external services on a developer's behalf, governing whether Claude Code asks the user before executing shell commands, and determining which tools the agent is permitted to run. Any process running as the logged-in user can edit it without special system privileges. Cohen said that when he began testing, it surprised him that when he used Claude to edit the .json file, the tool did so "without hesitating." "I expected pushback, especially on a file Claude itself depends on. It didn't happen," he told ISMG. Security tooling tends to treat credential storage and trust configuration as separate problems with separate mitigations. In ~/.claude.json, they are the same problem. Tool approval, trust state and the routing addresses that determine where Claude Code sends its authorization credentials are all present in one file, editable by the same user running the agent. "The mismatch between what the file controls and what it takes to modify it is the gap," Cohen said. Claude Code connects to external services through model context protocol, an open standard that lets AI tools call out to external software systems. When a developer authorizes Claude Code to access one of those services, the tool receives a bearer token, a long-lived credential attached to every subsequent request. That token is stored in plaintext inside ~/.claude.json and inherits whatever permissions developers approved when they first connected the service. Once the token is issued, its scope is fixed until it expires or is revoked. Cohen's attack chain begins with a malicious npm package designed to look legitimate enough to survive a casual review. The package contains a script that runs automatically on installation, a mechanism security researchers have flagged as a persistent supply chain risk, with roughly 30 CVEs filed against MCP infrastructure in just the first two months of 2026. The script targets common developer directory paths to maximize its reach, pre-approves trust in those directories so Claude Code stops prompting the user for confirmation, then rewrites the MCP server address in ~/.claude.json to point at a proxy under the attacker's control. From that point forward, whenever Claude Code connects a linked service, the bearer token in the authorization header passes through the attacker's infrastructure. The upstream provider sees a valid token arriving from Anthropic's network, which is exactly where it expects Claude Code traffic to originate. The trail effectively ends there. "You can replay the token, use it outside the original MCP context, and the platform has nothing meaningful to detect on," Cohen said. The provider sees an authenticated user, a valid token and an AI-assisted call pattern, and this combination is not enough to distinguish legitimate use from abuse. The next steps make the chain durable. The malicious script reasserts the rewritten configuration every time Claude Code loads. When a security team rotates the stolen token - the standard response to a suspected credential theft - the next authorization handshake runs through the proxy again and the attacker captures a fresh token. "Token rotation reinforces the compromise because the proxy is still in the loop," Cohen said. "The next refresh token comes through the attacker too." Moving token storage to a system keychain, the secure credential storage built into most operating systems, would not break the chain. The attack functions because Claude Code has no mechanism to verify that an MCP server address matches the one the user originally authorized. Cohen's proposed remedy includes signed server identities pinned on first use, refresh tokens bound to a server fingerprint, full re-authorization triggered by any endpoint change and client attestation, a process by which the software proves it is running in an unmodified state before being granted access. "Sign MCP server identities and validate them at session start, and the file becomes neutered. Even editable, you can't redirect anywhere." Anthropic reviewed the report and said the issue was out of scope because the attack would require an attacker to already have code execution on a developer's machine. Cohen agreed that this is a real prerequisite, but said that compromising an AI agent is different from a typical endpoint breach. A normal compromise may expose files and environment variables on one machine, while compromising an AI agent's configuration could give an attacker authenticated access to every connected service the agent is allowed to use. "Vendors are treating AI agent vulnerabilities like ordinary CLI tool bugs," Cohen said. "But once an attacker gets in, the impact is very different. The more services an AI agent is connected to, the larger the potential blast radius becomes." The final element of the attack is also the hardest to detect through conventional monitoring. Once attackers hold a captured token, they can instruct Claude to make the API calls. Every resulting request originates from Anthropic's own infrastructure, carries the user's authorization and produces activity that looks identical to normal AI-assisted work. "Once the allowed tool is populated and the trust flags are flipped, there is nothing left in Claude to push back on what the attacker is doing," Cohen said. "It is not detection-evasion," Cohen said. "It is detection-elimination. The platform is not malicious. It is not compromised. It is doing exactly what it is designed to do, executing user-authorized actions on user-authorized integrations. The attacker just slipped into the user-authorized definition without anyone noticing."