Check Point Researchers Expose Critical Claude Code Flaws

Posted on by CISO Forum Bureau

By Aviv Donenfeld and Oded Vanunu

  • Critical vulnerabilities, CVE-2025-59536 and CVE-2026-21852, in Anthropic’s Claude Code enabled remote code execution and API key theft through malicious repository-level configuration files, triggered simply by cloning and opening an untrusted project
  • Built-in mechanisms—including Hooks, MCP integrations, and environment variables—could be abused to bypass trust controls, execute hidden shell commands, and redirect authenticated API traffic before user consent
  • Stolen Anthropic API keys posed enterprise-wide risk, particularly in shared workspaces where a single compromised key could expose, modify, or delete shared files and resources and generate unauthorized costs 
  • The findings highlight a broader shift in the AI supply chain threat model: repository configuration files now function as part of the execution layer, requiring updated security controls to address AI-driven automation risks

As organizations rapidly adopt agentic AI development tools into enterprise workflows, the trust boundaries between configuration and execution are increasingly blurred. Check Point Research identified critical vulnerabilities in Anthropic’s Claude Code that enabled remote code execution and API credential theft through malicious repository-based configuration files. By abusing built-in mechanisms such as Hooks, Model Context Protocol (MCP) integrations, and environment variables, attackers could execute arbitrary shell commands and exfiltrate API keys when developers cloned and opened untrusted projects – without any additional action beyond launching the tool. In effect, configuration files intended to streamline collaboration became active execution paths, introducing a new attack vector within the AI-powered development layer now embedded in the enterprise supply chain, raising a broader question: has the enterprise threat model evolved to match this new reality? 

 How a Single Repository File Became an Attack Vector 

Claude Code was designed to streamline collaboration by embedding project-level configuration files directly within repositories, automatically applying them when a developer opens Claude Code inside the project directory. Check Point Research found that these files, typically perceived as harmless operational metadata, could in fact function as an active execution layer. In certain scenarios, simply cloning and opening a malicious repository was enough to:

  • Trigger hidden commands on the developer’s endpoint
  • Bypass built-in consent and trust safeguards
  • Expose active Anthropic API keys and turn them into an access vector
  • Extend the impact from an individual workstation to shared enterprise cloud workspaces
  • All without any visible indication that a compromise had already begun. What was intended to optimize collaboration effectively became a silent attack vector within the AI-powered development workflow

How Developers Could Be Affected

The risks fell into three categories.

1. Silent Command Execution via Claude Hooks

Claude Code includes automation capabilities that allow predefined actions to run when a session begins. Check Point Research demonstrated that this mechanism could be abused to execute arbitrary shell commands automatically upon tool initialization.

In practice, this means that simply opening a malicious repository could trigger hidden execution on a developer’s machine – without any additional interaction beyond launching the project.

2. MCP User Consent Bypass

Claude Code integrates with external tools via the Model Context Protocol (MCP), enabling additional services to be initialized when a project is opened. Although warning prompts were designed to require explicit user approval, researchers found that repository-controlled configuration settings could override these safeguards. As a result, execution could occur:

  • Before the user granted consent
  • Without meaningful visibility into what was being initialized
  • Despite built-in trust prompts intended to prevent such behavior

When code runs before trust is established, the control model is inverted – shifting authority from the user to repository-defined configuration and expanding the AI-driven attack surface.

This issue was assigned CVE-2025-59536.

3. API Key Theft Before Trust Confirmation

Claude Code communicates with Anthropic’s services using an API key, transmitted with each authenticated request. By manipulating a repository-controlled configuration setting, researchers demonstrated that API traffic , including the full authorization header, could be redirected to an attacker-controlled server before the user confirmed trust in the project directory. This meant that simply opening a malicious repository could:

  • Exfiltrate a developer’s active API key
  • Redirect authenticated API traffic to external infrastructure
  • Capture credentials before any trust decision was made

In collaborative AI environments, a single compromised key can become a gateway to broader enterprise exposure.

This issue was assigned CVE-2026-21852.


Why the API Key Exposure Mattered

Anthropic’s API includes a feature called Workspaces, which allows multiple API keys to share access to project files stored in the cloud.

Files are associated with the workspace itself, not a single key.

With a stolen key, an attacker could potentially:

  • Access shared project files
  • Modify or delete cloud-stored data
  • Upload malicious content
  • Generate unexpected API costs

In collaborative AI ecosystems, a single exposed key can scale from individual compromise to team-wide impact. 

A New Supply Chain Risk in AI Tools

These vulnerabilities reflect a broader structural shift in how software supply chains operate. Modern development platforms increasingly rely on repository-based configuration files to automate workflows and streamline collaboration. Traditionally, these files were treated as passive metadata – not as execution logic.

However, as AI-powered tools gain the ability to execute commands, initialize external integrations, and initiate network communication autonomously, configuration files effectively become part of the execution layer. What was once considered operational context now directly influences system behavior.

This fundamentally alters the threat model. The risk is no longer limited to running untrusted code – it now extends to opening untrusted projects. In AI-driven development environments, the supply chain begins not only with source code, but with the automation layers surrounding it.

Remediation and Disclosure

Check Point Research worked closely with Anthropic throughout the disclosure process.

Anthropic implemented fixes that:

  • Strengthened user trust prompts
  • Prevented external tool execution before explicit approval
  • Blocked API communications until after trust confirmation


All reported issues have been resolved prior to public disclosure.

Why This Matters

AI-powered coding tools are rapidly becoming part of enterprise development workflows. Their productivity benefits are significant, but so is the need to reassess traditional security assumptions.

Configuration files are no longer passive settings. They can influence execution, networking, and permissions.

As AI integration deepens, security controls must evolve to match the new trust boundaries.

Author

Related Posts