Security researchers disclosed multiple vulnerabilities in Anthropic’s Claude Code AI coding assistant that could enable arbitrary command execution and exfiltration of Anthropic API credentials when developers clone/open a malicious repository. Check Point Research reported the issues abuse Claude Code configuration and initialization paths—particularly project hooks (e.g., untrusted .claude/settings.json), Model Context Protocol (MCP) servers, and environment variables—to trigger shell command execution and data theft. Anthropic’s advisory for CVE-2026-21852 describes a project-load flow where a crafted repo can set ANTHROPIC_BASE_URL to an attacker-controlled endpoint, causing Claude Code to send API requests before the trust prompt is shown, potentially leaking the user’s API key.
The disclosed issues include two high-severity code-injection paths (CVSS 8.7) and one information-disclosure flaw (CVSS 5.3): a consent-bypass/hook-based injection issue fixed in Claude Code 1.0.87 (Sept 2025), CVE-2025-59536 fixed in 1.0.111 (Oct 2025), and CVE-2026-21852 fixed in 2.0.65 (Jan 2026). Separate coverage framed Anthropic-related developments as market-moving, noting investor attention around Anthropic’s AI code-security tooling; however, the actionable security impact in this reporting is the risk that simply opening an attacker-controlled repository can lead to RCE and credential leakage, reinforcing the need to treat untrusted repos and tool initialization behaviors as a supply-chain and developer-workstation risk.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
5 events from the most recent confirmed update back to the earliest known activity.
Adversa AI disclosed a proof-of-concept exploit called TrustFall showing how a malicious repository could trigger attacker-controlled code execution in Claude Code after a user accepts a routine trust prompt in v2.1. The researchers warned the issue could enable full machine compromise, secret and token theft, backdoor installation, and unattended impact in CI/CD environments, while Anthropic reportedly said the behavior falls outside its threat model because execution follows user consent.
A GitHub repository was published demonstrating three previously disclosed Claude Code vulnerabilities, including hooks consent bypass, MCP server configuration injection, and API key exfiltration via base URL manipulation. The project included malicious demo configurations, an attacker server, a MITM proxy, and a scanner for detecting vulnerable repository patterns, expanding public technical detail around the flaws.
Anthropic's release of its AI-powered code security tool, Claude Code Security, reportedly prompted a short-term selloff in cybersecurity stocks. Investor Nick Davidov said the reaction did not alter his firm's long-term view that AI-generated code and agent-related risks will increase demand for security products.
Check Point researchers publicly disclosed multiple vulnerabilities in Anthropic's Claude Code affecting Hooks, Model Context Protocol servers, and environment variable handling. The researchers said malicious repository configuration files could be abused to execute arbitrary shell commands and leak API keys to attacker-controlled endpoints, potentially enabling follow-on access to AI infrastructure and cloud-stored data.
Anthropic fixed several flaws in Claude Code across versions 1.0.87, 1.0.111, and 2.0.65, including CVE-2025-59536 and CVE-2026-21852. The vulnerabilities could enable remote code execution, silent tool interaction, and exfiltration of Anthropic API credentials when users opened untrusted repositories.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
6 references tracked. Mallory keeps watching after this page renders.
darkreading.com
Open sourcetheregister.com
Open sourceosintteam.blog
Open sourcegithub.com
Open sourcethehackernews.com
Open sourcebankinfosecurity.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.