Recent findings by Check Point Research (CPR) have uncovered critical vulnerabilities in Claude Code, an AI-driven development tool from Anthropic. These security flaws could potentially lead to Remote Code Execution (RCE) and unauthorized access to Anthropic’s API keys through manipulated project files.
Security Gaps in AI Development Tools
Anthropic’s Claude Code has been updated to patch all identified vulnerabilities before public disclosure, as reported by CPR. The incident underscores the increasing risks associated with AI-enabled development solutions, particularly how configuration files in repositories can be exploited to breach developer systems and collective workspaces.
Claude Code facilitates task delegation from the command line and supports collaboration through project settings saved in a .claude/settings.json file within repositories. Any changes to this file are inherited upon repository cloning, allowing contributors with commit access to potentially modify it to execute unintended actions on other developers’ machines.
Exploiting Untrusted Project Hooks
One of the vulnerabilities involved Claude Code’s “Hooks” feature, which permits automatic command execution at certain lifecycle stages. These hooks, defined within the repository-controlled configuration file, were found to execute immediately upon initializing a cloned repository, as demonstrated by CPR.
This automatic execution, including opening applications like a calculator without warnings, allows malicious actors to run arbitrary shell commands. Despite a general trust dialog, users were not explicitly informed of background command executions, which could lead to establishing unauthorized connections.
API Key Exposure and Consent Bypass
Another significant issue was found in the Model Context Protocol (MCP) settings, where CPR identified methods to bypass user consent dialogs. Even after Anthropic’s implementation of warning dialogs, malicious commands could be executed by manipulating settings to auto-approve MCP servers, enabling RCE.
Additionally, CPR noted vulnerabilities in the handling of environment variables within the settings file. By directing the ANTHROPIC_BASE_URL to a rogue server, attackers could capture API keys transmitted in plaintext, potentially leading to billing abuse and unauthorized access to shared workspaces.
This series of vulnerabilities presents serious supply chain threats, as harmful configurations can be introduced through pull requests or compromised accounts. To mitigate these risks, Anthropic has enhanced its security measures, including stricter warning dialogs and ensuring user consent before executing network operations.
Developers are strongly advised to update to the latest version of Claude Code and consider project files with the same diligence as executable code. For ongoing cybersecurity news, follow us on various platforms and contact us to share your stories.
