Claude Code, one of the most popular command-line AI coding assistants, contained critical vulnerabilities that enabled remote code execution and the theft of sensitive data, bypassing user consent. Attackers could hide malicious instructions in repository-level configuration files.
Check Point researchers discovered that simply opening a malicious repository from GitHub with Claude Code could lead to a compromise. The AI assistant blindly followed hidden instructions and exfiltrated credentials without any warnings or pop-ups.
The researchers created a dummy repository on GitHub and planted malicious instructions in Claude’s configuration files – basically a text document instructing the AI assistant how to operate.
These repository-level configuration files streamline collaboration by detailing many parameters for Claude Code, like automated triggers, known as hooks, Model Context Protocol (MCP) integrations, environment variables, and more.
Attackers can just plant arbitrary shell commands that the assistant will run, leading to the theft of API keys without any user action.
“Simply opening a malicious repository could trigger hidden execution on a developer’s machine – without any additional interaction beyond launching the project,” the Check Point report on the discovered vulnerabilities reads.
If the developer downloads a compromised project containing malicious instructions in the configuration file, the Claude Code could execute them on the system, bypassing built-in consent and trust safeguards.
The researchers demonstrated the exploit, exposing Anthropic API keys and private files on the individual workstation, and claim that the impact could extend to shared enterprise cloud workspaces.
“All without any visible indication that a compromise had already begun. What was intended to optimize collaboration effectively became a silent attack vector within the AI-powered development workflow,” Check Point said.
One of the bugs, labeled CVE-2025-59536, has a severity score of 8.7 out of 10.
“Due to a bug in the startup trust dialog implementation, Claude Code could be tricked into executing code contained in a project before the user accepted the startup trust dialog. Exploiting this requires a user to start Claude Code in an untrusted directory,” the description states.
Another bug, CVE-2026-21852, has a medium severity of 5.3 out of 10. Attackers could exploit it to trick Claude Code into issuing API requests to the wrong server, controlled by attackers, exposing users’ API keys.
Anthropic delivered the fixes via Claude Code auto-update, and users who perform manual updates are advised to update to the latest version.
If attackers steal the Anthropic API key, they can potentially access shared project files, modify or delete cloud-stored data, upload malicious content, and generate unexpected costs.
Repository-based configuration files were traditionally treated as passive metadata, not execution logic, but the rise of AI-powered development tools brought a broad structural shift.
Now, a text embedded in the repository can influence execution, permissions, and networking.
“The risk is no longer limited to running untrusted code – it now extends to opening untrusted projects,” the Check Point researchers explain.
“In AI-driven development environments, the supply chain begins not only with source code, but with the automation layers surrounding it.”
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked