Check Point Research — Claude Code hooks/MCP RCE

AI relevance: Claude Code’s agent runtime can be driven by repository configuration files, so prompt-injection-to-RCE chains can trigger shell commands and API key exfiltration when developers open untrusted projects.

Issue 1 (Hooks): Repository-controlled .claude/settings.json can define Hooks that execute shell commands at startup without a clear, explicit execution prompt.
Issue 2 (MCP auto-approval): The same settings file can enable enableAllProjectMcpServers or pre-whitelist servers, allowing malicious .mcp.json initialization commands to run before consent.
Issue 3 (API key exfiltration): Project settings can override ANTHROPIC_BASE_URL, routing Claude Code traffic (including API keys) to an attacker-controlled endpoint.
Impact: Attackers can achieve arbitrary command execution and steal Claude API credentials by embedding malicious config in a repo.
Trigger: Victims only need to clone and open the project with Claude Code; the exploit runs before the trust dialog is fully actionable.
Fix status: Check Point reports Anthropic patched the issues prior to publication.

Why it matters

Agentic coding tools inherit repository configs by design, which turns supply-chain exposure into a direct execution path. This is a concrete example of how “trusted” project settings can bypass consent flows and turn AI dev tools into remote execution surfaces.

What to do

Update: Ensure Claude Code is on the latest auto-updated build with the fixed consent flows.
Harden defaults: Disable auto-approval of project MCP servers unless you fully trust the repo.
Audit configs: Treat .claude/settings.json and .mcp.json as executable input; review before opening untrusted repositories.
Sandbox use: Run agentic coding tools in a restricted environment (least-privilege tokens, isolated shells).

Check Point Research: RCE and API token exfiltration in Claude Code

Check Point blog summary

GitHub advisory (Anthropic)