Claude Code MCP token theft: are your controls keeping up?

TL;DR: A malicious npm package can rewrite local Claude Code MCP routing, capture OAuth bearer tokens, and replay them against SaaS services, according to PermitIO's analysis of the Mitiga-reported chain. The incident shows that valid scopes and clean SaaS logs are not enough when runtime tool-call authorization is missing.

NHIMG editorial — based on content published by PermitIO: Claude Code MCP Token Theft Shows Why OAuth Tokens Need Runtime Tool-Call Authorization

By the numbers:

• Only 18% of MCP server deployments implement any form of access scoping for tool permissions.
• 53% of MCP servers expose credentials through hard-coded values in configuration files.

Questions worth separating out

Q: How should security teams implement runtime authorisation for AI coding agents?

A: Start by placing a policy decision point in front of every sensitive tool call, not just at login or token issuance.

Q: Why do valid OAuth scopes still fail to protect AI tool integrations?

A: Because scopes describe potential capability, not the trustworthiness of the current execution path.

Q: What breaks when local MCP configuration can be rewritten by untrusted code?

A: The organisation loses trust in the endpoint path that carries bearer tokens to the service.

Practitioner guidance

• Monitor local MCP routing integrity Baseline approved endpoint definitions in files such as ~/.claude.json and alert on any host, protocol, or URL drift.
• Correlate install hooks with agent tool calls Review preinstall and postinstall package execution paths in developer environments, then correlate them with subsequent MCP tool usage and SaaS API activity.
• Replace standing OAuth scope with runtime policy checks Put a policy decision point in front of high-risk tool calls so identity context, action type, and target resource are evaluated at execution time.

What's in the full article

PermitIO's full analysis covers the operational detail this post intentionally leaves for the source:

• Step-by-step mapping of the malicious npm install-hook chain and local MCP config rewrite path
• Concrete examples of which files, hosts, and endpoint changes to baseline in AI IDE environments
• Detailed guidance on policy decision points, consent gates, and tool allowlists at execution time
• Investigator workflow for correlating workstation drift, package events, and SaaS audit logs

👉 Read PermitIO's analysis of Claude Code MCP token theft and runtime authorisation →

Claude Code MCP token theft: are your controls keeping up?

Explore further

View Full Forum →  |  NHI Foundation Course →