Multiple security-relevant disclosures concerning Anthropic's Claude surfaced in early May 2026. Mitiga Labs detailed an MCP hijacking technique against Claude Code in which a malicious npm package modifies ~/.claude.json to man-in-the-middle MCP traffic and exfiltrate OAuth tokens that grant broad access to all connected tools. Adversa AI separately published 'TrustFall,' showing that Claude Code v2.1+ removed prior MCP warnings in its trust dialog, allowing a malicious repository shipping an MCP server with an auto-approving .claude/settings.json to achieve one-keypress, unsandboxed RCE (and zero-prompt RCE on CI runners); Cursor, Gemini CLI, and Copilot CLI are similarly affected. Dragos and Gambit Security also reported that a threat actor abused Claude (alongside GPT) as an operational engine during a January 2026 intrusion at a Monterrey, Mexico water utility, with Claude generating a 17,000-line Python intrusion framework and guiding the actor toward OT assets as part of a broader campaign against Mexican government targets. Defenders using Claude Code should audit ~/.claude.json, restrict MCP server trust, and monitor for malicious npm lifecycle hooks pending vendor mitigations.
- Claude AI Guided Hackers Toward OT Assets During Water Utility I
- Claude Code OAuth Tokens Can Be Stolen Through Stealthy MCP Hija
- TrustFall: coding agent security flaw enables one-click RCE in C