Vulnerabilities in Anthropic Claude Code Enable Code Execution and API Key Exfiltration
Security researchers disclosed multiple vulnerabilities in Anthropic’s Claude Code AI coding assistant that could enable arbitrary command execution and exfiltration of Anthropic API credentials when developers clone/open a malicious repository. Check Point Research reported the issues abuse Claude Code configuration and initialization paths—particularly project hooks (e.g., untrusted .claude/settings.json), Model Context Protocol (MCP) servers, and environment variables—to trigger shell command execution and data theft. Anthropic’s advisory for CVE-2026-21852 describes a project-load flow where a crafted repo can set ANTHROPIC_BASE_URL to an attacker-controlled endpoint, causing Claude Code to send API requests before the trust prompt is shown, potentially leaking the user’s API key.
The disclosed issues include two high-severity code-injection paths (CVSS 8.7) and one information-disclosure flaw (CVSS 5.3): a consent-bypass/hook-based injection issue fixed in Claude Code 1.0.87 (Sept 2025), CVE-2025-59536 fixed in 1.0.111 (Oct 2025), and CVE-2026-21852 fixed in 2.0.65 (Jan 2026). Separate coverage framed Anthropic-related developments as market-moving, noting investor attention around Anthropic’s AI code-security tooling; however, the actionable security impact in this reporting is the risk that simply opening an attacker-controlled repository can lead to RCE and credential leakage, reinforcing the need to treat untrusted repos and tool initialization behaviors as a supply-chain and developer-workstation risk.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Adversa AI discloses TrustFall Claude Code execution exploit
Adversa AI disclosed a proof-of-concept exploit called TrustFall showing how a malicious repository could trigger attacker-controlled code execution in Claude Code after a user accepts a routine trust prompt in v2.1. The researchers warned the issue could enable full machine compromise, secret and token theft, backdoor installation, and unattended impact in CI/CD environments, while Anthropic reportedly said the behavior falls outside its threat model because execution follows user consent.
Public PoC repo released for Claude Code vulnerabilities
A GitHub repository was published demonstrating three previously disclosed Claude Code vulnerabilities, including hooks consent bypass, MCP server configuration injection, and API key exfiltration via base URL manipulation. The project included malicious demo configurations, an attacker server, a MITM proxy, and a scanner for detecting vulnerable repository patterns, expanding public technical detail around the flaws.
Anthropic's Claude Code Security launch triggers cybersecurity stock selloff
Anthropic's release of its AI-powered code security tool, Claude Code Security, reportedly prompted a short-term selloff in cybersecurity stocks. Investor Nick Davidov said the reaction did not alter his firm's long-term view that AI-generated code and agent-related risks will increase demand for security products.
Check Point discloses Claude Code RCE and API key theft flaws
Check Point researchers publicly disclosed multiple vulnerabilities in Anthropic's Claude Code affecting Hooks, Model Context Protocol servers, and environment variable handling. The researchers said malicious repository configuration files could be abused to execute arbitrary shell commands and leak API keys to attacker-controlled endpoints, potentially enabling follow-on access to AI infrastructure and cloud-stored data.
Anthropic patches multiple Claude Code vulnerabilities
Anthropic fixed several flaws in Claude Code across versions 1.0.87, 1.0.111, and 2.0.65, including CVE-2025-59536 and CVE-2026-21852. The vulnerabilities could enable remote code execution, silent tool interaction, and exfiltration of Anthropic API credentials when users opened untrusted repositories.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
'TrustFall' Exposes Claude Code Execution Risk
darkreading.com
Open sourceClaude Code trust prompt can trigger one-click RCE
theregister.com
Open sourceHow Anthropic’s Leak Became a Meme Storm Nobody Planned (Part 2) | by Berend Watchus | Apr, 2026 | OSINT Team
osintteam.blog
Open sourceGitHub - atiilla/CVE-2026-21852-PoC · GitHub
github.com
Open sourceClaude Code Flaws Allow Remote Code Execution and API Key Exfiltration
thehackernews.com
Open sourceInvestors Should Take Long View Despite Anthropic Shock
bankinfosecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical Vulnerabilities in Anthropic Claude Code Enable RCE and API Key Theft via Malicious Repositories
**Check Point Research** disclosed multiple critical vulnerabilities in Anthropic’s *Claude Code* AI coding assistant that could allow **remote code execution** and **credential theft** when a developer clones and opens an **untrusted repository**. The reported attack path abuses repository-controlled configuration and automation features (including **Hooks**, **MCP servers**, and **environment variables**) to trigger hidden shell command execution and to exfiltrate **Anthropic API credentials**, potentially enabling a pivot from a developer workstation into broader enterprise environments where Claude-related workflows and shared resources are accessible. The issues include consent-bypass and command-execution weaknesses tracked under **CVE-2025-59536** (covering closely related flaws involving repository configuration executing commands without adequate user consent) and an API credential exposure issue tracked as **CVE-2026-21852**, which affected *Claude Code* versions prior to **2.0.65** and enabled API key theft via malicious project configurations. Anthropic has **patched** the vulnerabilities and advised users to update to the latest version, while indicating additional hardening measures are planned to reduce supply-chain risk from malicious commits and repository-level configuration abuse.
Apr 6, 2026
Claude Code GitHub Action Flaws Exposed CI/CD Secrets and Enabled Repo Takeover
Researchers disclosed multiple security flaws in Anthropic’s **Claude Code GitHub Action** that could let attackers compromise public repositories and expose CI/CD secrets through a single malicious GitHub issue or other untrusted content. One issue, reported by RyotaK of GMO Flatt Security, stemmed from an authorization bypass that trusted any GitHub actor whose name ended in `[bot]`, allowing attacker-controlled GitHub Apps to trigger workflows and inject malicious prompts. Anthropic said the bug could lead to disclosure of environment secrets, including credentials used to obtain OIDC tokens and Claude GitHub App installation tokens with write access, creating a path to repository takeover and broader supply-chain compromise. Microsoft Threat Intelligence separately showed that Claude Code’s `Read` tool was not sandboxed like its Bash tool, enabling access to sensitive runner data such as `/proc/self/environ` and leakage of secrets including `ANTHROPIC_API_KEY`. In lab testing, Microsoft demonstrated prompt-injection attacks that bypassed model safeguards and GitHub secret scanning to exfiltrate credentials through logs, comments, or external channels. Anthropic fixed the authorization issue within days of disclosure and later added hardening in `claude-code-action` `v1.0.94`, while the `/proc` exposure was mitigated in Claude Code `v2.1.128` by blocking access to sensitive procfs files; defenders were urged to treat AI-enabled CI/CD workflows processing untrusted issues, pull requests, and comments as high risk.
Jun 5, 2026
Anthropic Expands Claude’s Agentic Coding Capabilities and Adds Embedded Vulnerability Scanning
Anthropic announced **Claude Code Security**, an embedded capability in *Claude Code* that scans customer codebases for vulnerabilities and suggests patches, initially rolling out to a limited set of enterprise/team customers for testing. The company said the feature was stress-tested via internal red-teaming, Capture-the-Flag exercises, and collaboration with **Pacific Northwest National Laboratory**, and positioned it as a way to reduce reliance on manual security reviews as AI-assisted “vibe coding” increases and attackers also use AI to accelerate weakness discovery. In parallel, Anthropic released **Claude Sonnet 4.6**, emphasizing improved coding performance, stronger “computer use” capabilities, and expanded developer tooling (e.g., adaptive/extended thinking modes, beta context compaction, and API tools for web search/fetch and code execution). Separate commentary highlighted the security risk of **agentic coding assistants** (e.g., *Claude Code*, *Cursor*, *GitHub Copilot*) operating with broad privileges—file access, shell execution, and secret handling—and argued that the emerging **Model Context Protocol (MCP)** ecosystem needs stronger, future-proof identity controls; additional industry guidance promoted **MLSecOps** as a way to integrate security into AI/ML development lifecycles, though it did not report a specific incident or vulnerability.
Apr 9, 2026