Check Point Research identified critical vulnerabilities in Anthropic’s Claude Code that enabled remote code execution and API credential theft through malicious repository-based configuration files.
By abusing built-in mechanisms such as Hooks, Model Context Protocol (MCP) integrations, and environment variables, attackers could execute arbitrary shell commands and exfiltrate API keys when developers cloned and opened untrusted projects - without any additional action beyond launching the tool.
In effect, configuration files intended to streamline collaboration became active execution paths, introducing a new attack vector within the AI-powered development layer now embedded in the enterprise supply chain, raising a broader question: has the enterprise threat model evolved to match this new reality?
How a Single Repository File Became an Attack Vector
Claude Code was designed to streamline collaboration by embedding project-level configuration files directly within repositories, automatically applying them when a developer opens Claude Code inside the project directory. Check Point Research found that these files, typically perceived as harmless operational metadata, could in fact function as an active execution layer. In certain scenarios, simply cloning and opening a malicious repository was enough to:
Trigger hidden commands on the developer’s endpoint
Bypass built-in consent and trust safeguards
Expose active Anthropic API keys and turn them into an access vector
Extend the impact from an individual workstation to shared enterprise cloud workspaces
All without any visible indication that a compromise had already begun. What was intended to optimize collaboration effectively became a silent attack vector within the AI-powered development workflow
How Developers Could Be Affected
The risks fell into three categories.
1. Silent Command Execution via Claude Hooks
Claude Code includes automation capabilities that allow predefined actions to run when a session begins. Check Point Research demonstrated that this mechanism could be abused to execute arbitrary shell commands automatically upon tool initialization.
In practice, this means that simply opening a malicious repository could trigger hidden execution on a developer’s machine - without any additional interaction beyond launching the project.
2. MCP User Consent Bypass
Claude Code integrates with external tools via the Model Context Protocol (MCP), enabling additional services to be initialized when a project is opened. Although warning prompts were designed to require explicit user approval, researchers found that repository-controlled configuration settings could override these safeguards. As a result, execution could occur:
Before the user granted consent
Without meaningful visibility into what was being initialized
Despite built-in trust prompts intended to prevent such behavior
When code runs before trust is established, the control model is inverted - shifting authority from the user to repository-defined configuration and expanding the AI-driven attack surface.
This issue was assigned CVE-2025-59536.
3. API Key Theft Before Trust Confirmation
Claude Code communicates with Anthropic’s services using an API key, transmitted with each authenticated request. By manipulating a repository-controlled configuration setting, researchers demonstrated that API traffic , including the full authorization header, could be redirected to an attacker-controlled server before the user confirmed trust in the project directory. This meant that simply opening a malicious repository could:
Exfiltrate a developer’s active API key
Redirect authenticated API traffic to external infrastructure
Capture credentials before any trust decision was made
In collaborative AI environments, a single compromised key can become a gateway to broader enterprise exposure.
This issue was assigned CVE-2026-21852.
Why the API Key Exposure Mattered
Anthropic’s API includes a feature called Workspaces, which allows multiple API keys to share access to project files stored in the cloud.
Files are associated with the workspace itself, not a single key.
With a stolen key, an attacker could potentially:
Access shared project files
Modify or delete cloud-stored data
Upload malicious content
Generate unexpected API costs
In collaborative AI ecosystems, a single exposed key can scale from individual compromise to team-wide impact.
A New Supply Chain Risk in AI Tools
These vulnerabilities reflect a broader structural shift in how software supply chains operate. Modern development platforms increasingly rely on repository-based configuration files to automate workflows and streamline collaboration. Traditionally, these files were treated as passive metadata – not as execution logic.
However, as AI-powered tools gain the ability to execute commands, initialize external integrations, and initiate network communication autonomously, configuration files effectively become part of the execution layer. What was once considered operational context now directly influences system behavior.
This fundamentally alters the threat model. The risk is no longer limited to running untrusted code – it now extends to opening untrusted projects. In AI-driven development environments, the supply chain begins not only with source code, but with the automation layers surrounding it.
Remediation and Disclosure
Check Point Research worked closely with Anthropic throughout the disclosure process.
Anthropic implemented fixes that:
Strengthened user trust prompts
Prevented external tool execution before explicit approval
Blocked API communications until after trust confirmation
𝐒𝐭𝐚𝐲 𝐢𝐧𝐟𝐨𝐫𝐦𝐞𝐝 𝐰𝐢𝐭𝐡 𝐨𝐮𝐫 𝐥𝐚𝐭𝐞𝐬𝐭 𝐮𝐩𝐝𝐚𝐭𝐞𝐬 𝐛𝐲 𝐣𝐨𝐢𝐧𝐢𝐧𝐠 𝐭𝐡𝐞 WhatsApp Channel now! 👈📲
𝑭𝒐𝒍𝒍𝒐𝒘 𝑶𝒖𝒓 𝑺𝒐𝒄𝒊𝒂𝒍 𝑴𝒆𝒅𝒊𝒂 𝑷𝒂𝒈𝒆𝐬 👉 Facebook, LinkedIn, Twitter, Instagram
