Three critical vulnerabilities in Anthropic's Claude Code AI development tool exposed developers to remote code execution and API credential theft simply by opening project repositories, according to security researchers who discovered the flaws last year.
Check Point Software researchers found that malicious configurations embedded in repository files could execute arbitrary shell commands on developers' machines without user consent.
The vulnerabilities exploited Claude Code's Hooks feature, Model Context Protocol integration, and environment variable settings to bypass built-in safeguards. The first flaw allowed attackers to define malicious hooks in .claude/settings.json configuration files that would automatically execute when developers opened projects. Researchers demonstrated this by creating a hook that opened a calculator app immediately upon project initialization, with no warning or approval prompt required.
"An attacker could configure the hook to execute any shell command, such as downloading and running a malicious payload," Check Point researchers Aviv Donenfeld and Oded Vanunu wrote in their report.
A second vulnerability bypassed user consent dialogs for MCP server configurations using repository-controlled settings that automatically approved all servers. Commands executed before users could even read trust warnings, with researchers demonstrating complete machine compromise through reverse shells.
The third flaw enabled API key theft by redirecting Claude Code's communications through attacker-controlled servers via ANTHROPIC_BASE_URL environment variable manipulation. Every API request included full authorization headers with API keys exposed in plaintext before users confirmed trust dialogs.
Stolen API keys provided access to Claude's Workspaces feature, allowing attackers to read, modify, or delete shared team files stored in cloud environments. Researchers confirmed they could bypass download restrictions by regenerating files through Claude's code execution tool, converting them into downloadable artifacts.
All three vulnerabilities have been patched following coordinated disclosure between Check Point and Anthropic throughout 2025 and early 2026. The first hook vulnerability was reported July 21, 2025, with fixes implemented by August 29 and assigned GitHub Security Advisory GHSA-ph6w-f82w-28w6. The MCP bypass was reported September 3 and fixed later that month, receiving CVE-2025-59536 on October 3. API key exfiltration was reported October 28 and fixed by December 28, with CVE-2026-21852 published January 21.
"The ability to execute arbitrary commands through repository-controlled configuration files created severe supply chain risks," Donenfeld and Vanunu stated. "A single malicious commit could compromise any developer working with the affected repository."
These vulnerabilities highlight how AI-powered development tools introduce novel attack surfaces not present in traditional development environments. Configuration files that previously contained only passive settings now control active execution paths, creating supply chain threats where malicious code spreads through trusted development channels like pull requests or internal repositories.
Anthropic has implemented enhanced warning dialogs that appear when users open projects containing untrusted configurations and deferred network operations until after explicit user consent. The company plans additional security hardening features for release in coming months while recommending developers use the latest version of Claude Code for protection.
