MCPSecurityCybersecurity

NEW

MCP OAuth Phishing in VS Code: technical analysis and June 2026 context

The MCP OAuth phishing attack exploits VS Code's automatic authentication flow. No vulnerabilities are required — the protocol works exactly as designed. An analysis of the PoC, remote exploitation, and the cascade of June 2026 findings.

Hackfluency Research · June 2026 · 18 min read

▶

PoC available on GitHub

github.com/HackfluencyLabs/mcp-phish-poc →

The Model Context Protocol (MCP) is the open standard that lets AI models —Claude, GitHub Copilot, Gemini— interact with external tools and services through a unified interface. VS Code implements the full specification: tools, prompts, resources, and OAuth 2.1 authentication.

When an MCP server requires authorization, VS Code automatically executes the entire OAuth discovery flow: it reads the server's metadata, discovers the authorization server, dynamically registers, and opens the browser for the user to complete the login. The user only sees one click on "Allow."

This behavior is not a bug. It is the specification working exactly as designed. That is why it is exploitable.

The Attack: Step by Step

The mcp-phish-poc (Hackfluency Labs, 2026) demonstrates the complete attack cycle in 342 lines of TypeScript:

1. Victim configures MCP server in VS Code (localhost or remote)
2. VS Code sends POST /mcp → server responds 401 + WWW-Authenticate
3. VS Code discovers GET /.well-known/oauth-protected-resource
4. VS Code discovers GET /.well-known/oauth-authorization-server
5. VS Code registers via POST /register (Dynamic Client Registration)
6. User clicks "Allow"
7. VS Code opens browser at GET /authorize → cloned Microsoft login
8. Victim enters credentials → POST /login → captured

The Login Page

The malicious server serves a Microsoft sign-in page that is visually indistinguishable from the real one: official logo, email and password fields, terms of use and privacy links, favicons. Everything is served from the same server. The flow is identical to what a user would expect when authenticating an MCP server with Microsoft Entra ID.

Microsoft sign-in page cloned by the malicious MCP server — Microsoft sign-in page served by the malicious MCP server. Visually identical to the real one.

Credential Capture

The server captures the email first and then the password in two separate steps, replicating the real Microsoft flow. Credentials are printed to the attacker's console:

Microsoft password page showing the previously captured email — Password page. The email was captured in the previous step and is displayed to the user.

████████████████████████████████████████████████████████
█  Email:    [email protected]
█  Password: SuperSecret123!
████████████████████████████████████████████████████████

From Localhost to Remote

The PoC runs on 127.0.0.1:3000 for demonstration purposes. But the exact same flow works identically with a remote server.

VS Code accepts any HTTP URL in its MCP configuration (mcp.json):

{
  "servers": {
    "trusted-service": {
      "type": "http",
      "url": "https://attacker-service.com/mcp"
    }
  }
}

There is no origin verification. No domain restriction. No validation that the MCP server and the authorization server are the same entity. VS Code follows the flow specified by the protocol, and the protocol does not require the client to verify the identity of the authorization server that the MCP server advertises.

An attacker can:

Host the malicious server on any VPS or cloud service
Publish a tutorial, blog post, or MCP server list with their URL
Capture credentials when the OAuth flow triggers

No vulnerability needs to be exploited. There is no CVE. There is no patch. The protocol works exactly as designed.

June 2026: MCP Security Context

The months leading up to this publication accumulated security findings in the MCP ecosystem that contextualize the attack.

31 Mar 2026 — Axios npm Hijacked

A North Korean threat actor (UNC1069) compromised the maintainer account of the Axios package (>100M weekly downloads). They injected plain-crypto-js as a malicious dependency with a post-install hook that deployed the WAVESHAPER.V2 backdoor. The malware enumerated configurations for Claude Code, Claude Desktop, Cursor, VS Code Continue, and Windsurf to inject malicious MCP servers (Lorikeet Security, 2026).

19 Apr 2026 — mcp-remote RCE (CVSS 9.6)

The standard library for connecting remote MCP clients contained a command injection vulnerability in the OAuth handshake. For the first time, an MCP exploit attacked the client, not the server. Malicious code executed during the transport handshake — before any tool schema existed to be analyzed (MCPProxy Blog).

12 May 2026 — Claude Code Token Theft (Mitiga Labs)

The ~/.claude.json file stores OAuth tokens in plaintext alongside MCP routing configuration. Mitiga Labs demonstrated a 5-step attack chain: malicious npm package with post-install hook, rewrite of ~/.claude.json, MCP traffic redirected through attacker proxy, OAuth token capture, and persistence with auto-recovery after token rotation (Mitiga Labs). Anthropic classified the report as "out of scope." No fix is available.

2 Jun 2026 — CloudSEK: SSRF + LFI + AWS Creds via MCP

An unauthenticated MCP server allowed chaining Server-Side Request Forgery against AWS IMDS, Local File Inclusion to read /proc/self/environ, and exfiltration of IAM credentials and database secrets (CloudSEK).

3 Jun 2026 — CVE-2026-41613: VS Code 1-Click RCE (Oasis Security)

VS Code's MCP install dialog showed 5 fields to the user. It silently installed 5 hidden fields, including environment variables and HTTP headers. An attacker could inject NODE_OPTIONS with --import and inline JavaScript URL for arbitrary pre-load code execution. The payload never appeared in the UI (Oasis Security). The same vulnerability enabled a second attack: hidden HTTP headers allowed hijacking the AI assistant session. Microsoft assigned CVE-2026-41613 and patched in VS Code 1.119.1.

3-4 Jun 2026 — GitHub Zero-Day: 3,700 Repos Exfiltrated

Ammar Askar published exploit code for a VS Code zero-day vulnerability that allows stealing GitHub OAuth tokens with a single click. The attack exploits the message-passing system between sandboxed webviews and the main editor. The same day, TeamPCP used this technique against GitHub. The Nx Console extension (version 18.95.0) was compromised and published to the Visual Studio Marketplace. Exposure window: 18 minutes. Result: ~3,800 internal repositories exfiltrated (OSSPREY).

The Complete Timeline

Date	Finding	Type	CVSS	Status
Mar 31	Axios npm hijack (UNC1069)	MCP supply chain	—	Active
Apr 19	mcp-remote RCE	OAuth command injection	9.6	Partial
May 12	Claude Code token theft	Config hijack	—	Unfixed
Jun 2	CloudSEK MCP SSRF→LFI→AWS	Misconfig chain	—	Partial
Jun 3	VS Code install RCE (Oasis)	Hidden UI fields	—	Patched
Jun 3	GitHub token zero-day	Webview sandbox escape	—	Mitigated
Jun 4	TeamPCP GitHub breach	Supply chain	—	Active

Why This Is Already Happening

The Numbers

An academic study published in June 2026 (arXiv:2605.22333) measured the security of 7,973 live remote MCP servers:

40.55% expose tools without authentication
96.6% of OAuth servers have Dynamic Client Registration flaws
100% of tested OAuth servers (119) had at least one flaw
325 flaws identified in total

OX Security found 7,374 vulnerable MCP servers publicly accessible via Shodan. GitGuardian detected 24,008 secrets in MCP configuration files on public GitHub — 2,117 live credentials confirmed. The first quarter of 2026 accumulated 30+ CVEs against MCP servers and SDKs, 13 critical.

The Design Problem

The root cause is structural: the MCP protocol delegates to the server the responsibility of announcing who its authorization server is, and the client —VS Code, Claude Desktop, Cursor— trusts that declaration without cross-validation.

When an MCP server says "my authorization server is https://example.com", the client:

Reads the metadata
Discovers the endpoints
Dynamically registers
Opens the browser
Does not verify that the MCP server and the AS are the same entity

Alibaba Cloud Security (Issue #544 of the MCP spec, May 2025) identified it first: "insufficient security design that increases the risk of widespread phishing attacks." Obsidian Security went further (Nov 2025): discovered RCE, LFE, and ATO in all major MCP clients. The specification evolved —CIMD, RFC 9728, RFC 8707— but existing clients carry incomplete implementations.

Anthropic's response to Mitiga Labs (May 2026) classified the finding as "out of scope." In practice, this means the protocol allows the MCP server to specify its own AS, clients execute the flow automatically, and the resulting attacks are considered outside the specification's scope.

This trust-without-verification problem is the same gap that ZTMAS (Zero Trust Multi-Agent Systems), our architecture note on designing multi-agent systems with cross-identity verification, addresses. Where the MCP protocol assumes the server tells the truth about its authorization server, ZTMAS starts from the opposite principle: no agent is trustworthy by default. → ZTMAS: Zero Trust Multi-Agent Systems

Exploitation Likelihood

As of this publication, no case of MCP OAuth phishing against a real organization has been publicly reported. However, the technical conditions for exploitation are present:

96.6% of MCP OAuth servers have exploitable flaws
Developers are a high-value target (production access, cloud credentials, private repositories)
No technical exploit required — only social engineering to get someone to add a URL
No visible indicators of compromise: the traffic is legitimate OAuth, the endpoints are standard .well-known, and the MCP server can be hosted on any VPS

Mitigations

MCP OAuth phishing cannot be solved with a patch. It is a protocol design problem. While the specification matures, organizations can:

Audit existing MCP configurations across development environments
Monitor changes to configuration files (mcp.json, ~/.claude.json, claude_desktop_config.json)
Restrict MCP servers to an approved list
Assess the organization's LLM security posture

Hackfluency Research has developed the LLM Behavioral Security Assessment Tool, a structured 50+ question questionnaire across 8 security domains that enables organizations to identify gaps in their AI deployments —including MCP integrations, credential handling, and exposure to phishing vectors like the one described in this article.

→ hackfluency.com/research/security-qa/

References

Hackfluency Labs. "MCP OAuth Phishing — PoC." GitHub, 2026. github.com/HackfluencyLabs/mcp-phish-poc
Alibaba Cloud Security. "The MCP protocol exhibits insufficient security design." Issue #544, modelcontextprotocol/modelcontextprotocol, 18 May 2025. github.com/modelcontextprotocol/modelcontextprotocol/issues/544
Obsidian Security. "When MCP Meets OAuth: Common Pitfalls Leading to One-Click Account Takeover." Feb 2026. obsidiansecurity.webflow.io
Obsidian Security. "From well-known to Well-Pwned: Common Vulnerabilities in AI Agents." Nov 2025.
Oasis Security. "One-Click Attack on VS Code Exposes Developer Machines." 3 Jun 2026. CVE-2026-41613. oasis.security
Mitiga Labs. "Stealing MCP Tokens in Claude Code: A Man-in-the-Middle Attack Chain." 12 May 2026. mitiga.io
Ammar Askar. "VS Code zero-day: GitHub OAuth token theft." Jun 2026.
Lorikeet Security. "MCP Is the New Supply Chain: 30 CVEs, a North Korean npm Hijack, and 7,000 Exposed Servers." 16 Apr 2026. lorikeetsecurity.com
OSSPREY. "The Complete TeamPCP Campaign." 21 May 2026. ossprey.com
CloudSEK. "How an Unauthenticated MCP Server Led to SSRF, LFI, and AWS Credential Theft." 2 Jun 2026. cloudsek.com
MCPProxy Blog. "The First MCP Vulnerability That Hacks Your Laptop (Not the Server)." 19 Apr 2026. mcpproxy.app
arXiv:2605.22333. "A First Measurement Study on Authentication Security in Real-World Remote MCP Servers." Jun 2026. arxiv.org
OX Security. "The Mother of All AI Supply Chains." 2026.
GitGuardian. "24,008 Secrets in MCP Configuration Files." 2026.
Anthropic. "Model Context Protocol Authorization Specification." Nov 2025. modelcontextprotocol.io