Claude Code's hidden threat to open a project into a credentials gap

Cybersecurity researchers have discovered serious failures in Claude Code, the Anthropic-driven programming assistant, which allow from remote command execution to API key theft. According to the public analysis of Check Point, problems take advantage of legitimate configuration mechanisms - such as "hooks," Model Context Protocol (MCP) servers and environment variables - to execute arbitrary orders and filter credentials when a developer clones and opens a malicious repository. You can read the check point report here: Check Point Research and the technical study extended on its website: CERs and API take exfiltration through Claude Code project files.

The vulnerabilities stand out by how they redefine the risk perimeter: it is no longer just about running malicious code on a computer, but about that the act of opening a project can be enough to compromise credentials and launch commands. In this particular case, configurations included in files of the repository itself - e.g. .claude / settings.json or .mcp.json - could change customer behavior and cause outgoing calls before the user confirmed to trust the project. The result was that active Anthropic keys could be sent to servers controlled by an attacker, or that the initialization of external integrations could be forced without consent.

The judgements were classified into several categories and some already have public identifiers (CVE). A problem without reported CVE, with a high gravity (CVSS 8.7), allowed to skip consent mechanisms by starting Claude Code in a new directory and activating hooks defined by the project. Another defect assigned as CVE-2025-59536 It also allowed for code injection by handling the MCP configuration and the option that enables MCP servers of the project. Finally, CVE-2026-21852 It affected the flow of information in the project's load flow, allowing the sending of keys to adversary endpoints before showing the notice of confidence. The corrections were published in different versions of the client: for example, version 1.0.87, 1.0.111 and branch 2.0.65 include patches for these failures.

Anthropic documents how the integrations and the configuration mechanisms work; the Hooks guide and the settings section help to understand where the operation went: Hooks Guide and the adjustment page Settlements where there is the option that allowed the escalation of privileges (" enableAllProjectMcpServers") when it was activated by repository files.

The practical implications are disturbing. An attacker who captures an API key can redirect the authenticated traffic to infrastructure controlled by it, consume services on behalf of the victim (generating unexpected costs), insert or delete files in shared projects or simply use that position to move laterally within cloud environments. In short, there is a way to access resources that were traditionally protected by barriers other than those operated by these development assistants.

In the face of such scenarios, the immediate response is technical and operational. On the one hand, Anthropic has released patches and is fundamental update Claude Code to the corrected versions that close these attack vectors. The notices and corrections appear in the security repositories: check the official notices in GitHub to confirm the version you should apply: Advisories. On the other hand, good development practices again take the lead: managing credentials with less privileged policies, rotating committed keys and avoiding permanent keys in unisolated working environments are measures that reduce impact if a leak occurs.

In addition to patches and rotation of secrets, the way in which third-party projects are trusted should be reconsidered. In professional environments, open an unknown repository within the same context where tools run with running capacity and network should require isolated virtual containers or machines, ephemeral testing environments or a verification process that inspects the configuration files before allowing initialization. It is also recommended to disable options that activate automatic MCP servers or hooks executions until they have validated their origin.

Beyond the immediate recommendations, the Claude Code case highlights a broader transformation in the attack surface: the configuration files and the automation layers become part of the execution plane. What was previously perceived as an operational context - how a tool is orchestrated - can now determine behaviors that affect the security of the system. As a result, the software supply chain in the world of IA-assisted tools begins not only with the source code, but with the parts that automate, integrate and extend that code.

For those who use IA-driven code assistants, the practical note is clear: update, audit and isolate. Keeping informed by reliable sources helps measure risk; in addition to the Check Point analysis, security notices in official repositories and Anthropic documentation are required readings for managers and developers interested in protecting their environments. Check the reports and notices related to these incidents at the reference links: Check Point Research, the technical study of Check Point ( Research) and Anthropic's advisories in GitHub ( No CVE advisory, CVE-2025-59536, CVE-2026-21852).

Ultimately, history serves as a reminder that the adoption of powerful tools brings indisputable advantages, but it also requires rethinking security from layers that were so far considered harmless. To update quickly and design workflows that do not expose secrets or allow automatic executions in non-isolated environments are essential steps to take advantage of these tools without turning them into an entry door for attackers.