Anthropic Claude outage disrupted users as GitHub Actions flaw exposed repository risk
Anthropic’s Claude platform suffered a widespread service disruption that affected users globally across the web app, mobile clients, and Claude Code, with reports of elevated errors, long response delays, hung sessions, and failed requests involving models such as Opus 4.6 and Sonnet 4.6. User complaints rose sharply after the incident began around 0600 UTC, and Anthropic’s status page moved from reporting a partial outage to saying a fix had been implemented before later marking systems operational, though some customers continued to report intermittent problems after remediation.
Separately, a security researcher disclosed a critical supply-chain vulnerability in Anthropic’s official Claude Code GitHub Actions workflow that could have allowed an unauthenticated attacker to compromise repositories using it, including Anthropic’s own. The flaw stemmed from write-permission checks that trusted any GitHub actor whose name ended with [bot], enabling a malicious GitHub App bot to bypass restrictions and, when chained with prompt injection, potentially exfiltrate secrets, steal GitHub Actions OIDC credentials, obtain a privileged Claude GitHub App token, and push malicious code downstream; Anthropic said it patched the issues in v1.0.94 with stronger actor validation and additional workflow hardening.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Claude services outage affects claude.ai, API, Code, and Cowork
Anthropic experienced another major Claude service disruption beginning at 15:08 UTC, affecting claude.ai, the Claude API, Claude Code, Claude Cowork, and multiple model versions. Anthropic later said the incident was caused by infrastructure issues rather than a security breach and reported full restoration by 18:27 UTC.
Anthropic patches Claude Code GitHub Actions in v1.0.94
Anthropic patched the Claude Code GitHub Actions issues in version 1.0.94 by strengthening actor validation and adding multiple workflow hardening measures. The company also awarded RyotaK $3,800 plus a $1,000 bug bounty bonus.
RyotaK discovers critical Claude Code GitHub Actions flaws
Security researcher RyotaK of GMO Flatt Security discovered a critical supply chain vulnerability in Anthropic's Claude Code GitHub Actions, along with a separate workflow misconfiguration. The issues could allow repository compromise, secret exfiltration, theft of OIDC credentials, and malicious code pushes to downstream repositories.
Anthropic investigates and deploys fix for Claude outage
Anthropic said it was investigating the Claude outage, first classifying it as a partial outage on its status page. By 1042 UTC, the company reported that a fix had been implemented and later marked systems operational, though some intermittent issues persisted for some users.
Claude service outage begins across web, mobile, and Claude Code
Anthropic's Claude experienced a significant service disruption affecting users globally across web, mobile, and Claude Code. The outage began around 0600 UTC / 2:10am ET, with users reporting errors, delays, hung sessions, and failures.
Anthropic files draft registration statement for proposed IPO
Anthropic filed a draft registration statement with the US Securities and Exchange Commission for a proposed IPO. The filing occurred one day before Claude's major service outage.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Anthropic's Claude Services Down - claude.ai, Claude Code, and Cowork Affected [Updated]
cybersecuritynews.com
Open sourceClaude Down for Users Worldwide as Hundreds Report Service Issues
cybersecuritynews.com
Open sourceClaude Code's GitHub Actions Vulnerability Lets Attackers Compromise Any Repository
cybersecuritynews.com
Open sourceClaude celebrates Anthropic's stock market float with blockbuster ... outage
theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Claude Code GitHub Action Flaws Exposed CI/CD Secrets and Enabled Repo Takeover
Researchers disclosed multiple security flaws in Anthropic’s **Claude Code GitHub Action** that could let attackers compromise public repositories and expose CI/CD secrets through a single malicious GitHub issue or other untrusted content. One issue, reported by RyotaK of GMO Flatt Security, stemmed from an authorization bypass that trusted any GitHub actor whose name ended in `[bot]`, allowing attacker-controlled GitHub Apps to trigger workflows and inject malicious prompts. Anthropic said the bug could lead to disclosure of environment secrets, including credentials used to obtain OIDC tokens and Claude GitHub App installation tokens with write access, creating a path to repository takeover and broader supply-chain compromise. Microsoft Threat Intelligence separately showed that Claude Code’s `Read` tool was not sandboxed like its Bash tool, enabling access to sensitive runner data such as `/proc/self/environ` and leakage of secrets including `ANTHROPIC_API_KEY`. In lab testing, Microsoft demonstrated prompt-injection attacks that bypassed model safeguards and GitHub secret scanning to exfiltrate credentials through logs, comments, or external channels. Anthropic fixed the authorization issue within days of disclosure and later added hardening in `claude-code-action` `v1.0.94`, while the `/proc` exposure was mitigated in Claude Code `v2.1.128` by blocking access to sensitive procfs files; defenders were urged to treat AI-enabled CI/CD workflows processing untrusted issues, pull requests, and comments as high risk.
Jun 5, 2026
Vulnerabilities in Anthropic Claude Code Enable Code Execution and API Key Exfiltration
Security researchers disclosed multiple vulnerabilities in **Anthropic’s Claude Code** AI coding assistant that could enable **arbitrary command execution** and **exfiltration of Anthropic API credentials** when developers clone/open a malicious repository. Check Point Research reported the issues abuse Claude Code configuration and initialization paths—particularly **project hooks** (e.g., untrusted `.claude/settings.json`), **Model Context Protocol (MCP) servers**, and **environment variables**—to trigger shell command execution and data theft. Anthropic’s advisory for **CVE-2026-21852** describes a project-load flow where a crafted repo can set `ANTHROPIC_BASE_URL` to an attacker-controlled endpoint, causing Claude Code to send API requests **before** the trust prompt is shown, potentially leaking the user’s API key. The disclosed issues include two high-severity code-injection paths (CVSS **8.7**) and one information-disclosure flaw (CVSS **5.3**): a consent-bypass/hook-based injection issue fixed in *Claude Code* **1.0.87** (Sept 2025), **CVE-2025-59536** fixed in **1.0.111** (Oct 2025), and **CVE-2026-21852** fixed in **2.0.65** (Jan 2026). Separate coverage framed Anthropic-related developments as market-moving, noting investor attention around Anthropic’s AI code-security tooling; however, the actionable security impact in this reporting is the risk that simply opening an attacker-controlled repository can lead to **RCE** and **credential leakage**, reinforcing the need to treat untrusted repos and tool initialization behaviors as a supply-chain and developer-workstation risk.
May 7, 2026
Critical Vulnerabilities in Anthropic Claude Code Enable RCE and API Key Theft via Malicious Repositories
**Check Point Research** disclosed multiple critical vulnerabilities in Anthropic’s *Claude Code* AI coding assistant that could allow **remote code execution** and **credential theft** when a developer clones and opens an **untrusted repository**. The reported attack path abuses repository-controlled configuration and automation features (including **Hooks**, **MCP servers**, and **environment variables**) to trigger hidden shell command execution and to exfiltrate **Anthropic API credentials**, potentially enabling a pivot from a developer workstation into broader enterprise environments where Claude-related workflows and shared resources are accessible. The issues include consent-bypass and command-execution weaknesses tracked under **CVE-2025-59536** (covering closely related flaws involving repository configuration executing commands without adequate user consent) and an API credential exposure issue tracked as **CVE-2026-21852**, which affected *Claude Code* versions prior to **2.0.65** and enabled API key theft via malicious project configurations. Anthropic has **patched** the vulnerabilities and advised users to update to the latest version, while indicating additional hardening measures are planned to reduce supply-chain risk from malicious commits and repository-level configuration abuse.
Apr 6, 2026