Critical Vulnerabilities in Anthropic Claude Code Enable RCE and API Key Theft via Malicious Repositories
Check Point Research disclosed multiple critical vulnerabilities in Anthropic’s Claude Code AI coding assistant that could allow remote code execution and credential theft when a developer clones and opens an untrusted repository. The reported attack path abuses repository-controlled configuration and automation features (including Hooks, MCP servers, and environment variables) to trigger hidden shell command execution and to exfiltrate Anthropic API credentials, potentially enabling a pivot from a developer workstation into broader enterprise environments where Claude-related workflows and shared resources are accessible.
The issues include consent-bypass and command-execution weaknesses tracked under CVE-2025-59536 (covering closely related flaws involving repository configuration executing commands without adequate user consent) and an API credential exposure issue tracked as CVE-2026-21852, which affected Claude Code versions prior to 2.0.65 and enabled API key theft via malicious project configurations. Anthropic has patched the vulnerabilities and advised users to update to the latest version, while indicating additional hardening measures are planned to reduce supply-chain risk from malicious commits and repository-level configuration abuse.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Anthropic fixes Claude Code deny-rule bypass in v2.1.90
Anthropic addressed a high-severity Claude Code vulnerability that let attackers bypass developer-configured deny rules by hiding malicious payloads after the 50th subcommand in a long shell command. The flaw stemmed from a legacy regex-based parser in bashPermissions.ts that stopped detailed analysis after 50 entries and fell back to a generic permission prompt, creating a path to credential theft and supply-chain compromise.
Check Point publicly discloses three Claude Code vulnerabilities
On February 25, 2026, Check Point Research publicly disclosed three Claude Code vulnerabilities that could let attackers achieve remote code execution and steal Anthropic API keys by luring developers into opening malicious repositories. The disclosure framed repository configuration files as a new AI software supply-chain attack surface.
Anthropic patches Claude Code trust and execution weaknesses
Before public disclosure, Anthropic fixed the reported issues by tightening trust prompts, preventing Hooks and MCP execution before approval, and blocking network/API activity until a user explicitly trusts a repository. Advisories and CVEs were issued for at least two of the flaws, including CVE-2025-59536 and CVE-2026-21852.
Check Point privately reports Claude Code flaws to Anthropic
Check Point Research identified three vulnerabilities in Anthropic's Claude Code across 2025 and coordinated responsible disclosure with Anthropic. The flaws involved repository-controlled Hooks and MCP settings enabling code execution, plus configuration-based API key exfiltration.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
8 references tracked. Mallory keeps watching after this page renders.
Critical Claude Code Vulnerability Silently Bypasses Developer-Configured Security Rules
cybersecuritynews.com
Open sourceClaude Code Hacked to Achieve Full RCE and Hijacked Organization API keys
cybersecuritynews.com
Open sourceRCE, API credential theft likely with now-patched Claude Code vulnerabilities | brief | SC Media
scworld.com
Open sourceCritical Claude Code Vulnerabilities Enables Remote Code Execution Attacks
cybersecuritynews.com
Open sourceMalicious Repo Files Could Hijack Claude Code Sessions
bankinfosecurity.com
Open sourceClaude's collaboration tools allowed remote code execution • The Register
go.theregister.com
Open sourceUntrusted repositories turn Claude code into an attack vector
securityaffairs.com
Open sourceFlaws in Claude Code Put Developers' Machines at Risk
darkreading.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Vulnerabilities in Anthropic Claude Code Enable Code Execution and API Key Exfiltration
Security researchers disclosed multiple vulnerabilities in **Anthropic’s Claude Code** AI coding assistant that could enable **arbitrary command execution** and **exfiltration of Anthropic API credentials** when developers clone/open a malicious repository. Check Point Research reported the issues abuse Claude Code configuration and initialization paths—particularly **project hooks** (e.g., untrusted `.claude/settings.json`), **Model Context Protocol (MCP) servers**, and **environment variables**—to trigger shell command execution and data theft. Anthropic’s advisory for **CVE-2026-21852** describes a project-load flow where a crafted repo can set `ANTHROPIC_BASE_URL` to an attacker-controlled endpoint, causing Claude Code to send API requests **before** the trust prompt is shown, potentially leaking the user’s API key. The disclosed issues include two high-severity code-injection paths (CVSS **8.7**) and one information-disclosure flaw (CVSS **5.3**): a consent-bypass/hook-based injection issue fixed in *Claude Code* **1.0.87** (Sept 2025), **CVE-2025-59536** fixed in **1.0.111** (Oct 2025), and **CVE-2026-21852** fixed in **2.0.65** (Jan 2026). Separate coverage framed Anthropic-related developments as market-moving, noting investor attention around Anthropic’s AI code-security tooling; however, the actionable security impact in this reporting is the risk that simply opening an attacker-controlled repository can lead to **RCE** and **credential leakage**, reinforcing the need to treat untrusted repos and tool initialization behaviors as a supply-chain and developer-workstation risk.
May 7, 2026
Claude Code GitHub Action Flaws Exposed CI/CD Secrets and Enabled Repo Takeover
Researchers disclosed multiple security flaws in Anthropic’s **Claude Code GitHub Action** that could let attackers compromise public repositories and expose CI/CD secrets through a single malicious GitHub issue or other untrusted content. One issue, reported by RyotaK of GMO Flatt Security, stemmed from an authorization bypass that trusted any GitHub actor whose name ended in `[bot]`, allowing attacker-controlled GitHub Apps to trigger workflows and inject malicious prompts. Anthropic said the bug could lead to disclosure of environment secrets, including credentials used to obtain OIDC tokens and Claude GitHub App installation tokens with write access, creating a path to repository takeover and broader supply-chain compromise. Microsoft Threat Intelligence separately showed that Claude Code’s `Read` tool was not sandboxed like its Bash tool, enabling access to sensitive runner data such as `/proc/self/environ` and leakage of secrets including `ANTHROPIC_API_KEY`. In lab testing, Microsoft demonstrated prompt-injection attacks that bypassed model safeguards and GitHub secret scanning to exfiltrate credentials through logs, comments, or external channels. Anthropic fixed the authorization issue within days of disclosure and later added hardening in `claude-code-action` `v1.0.94`, while the `/proc` exposure was mitigated in Claude Code `v2.1.128` by blocking access to sensitive procfs files; defenders were urged to treat AI-enabled CI/CD workflows processing untrusted issues, pull requests, and comments as high risk.
Jun 5, 2026
Check Point Discloses Critical Claude Code Flaws Enabling Code Execution and Data Exposure
Check Point researchers disclosed critical security flaws in **Claude Code**, reporting that the issues could expose developers and organizations to **remote code execution**, sensitive data leakage, and broader compromise of development environments. The findings indicate that weaknesses in how the coding assistant handled untrusted content and tool interactions could let attackers manipulate outputs, trigger unsafe actions, or access information that should remain protected. The disclosure places AI-assisted development tools under the same scrutiny long applied to major software supply-chain and application-security incidents such as **Apache Log4j `CVE-2021-44228`**, which became a benchmark for rapidly exploitable software flaws with wide downstream impact. The report underscores that coding assistants embedded in developer workflows can become high-value targets, and that organizations using them should review trust boundaries, sandboxing, secret handling, and monitoring around automated code-generation and execution features.
May 25, 2026