Check Point Research — Claude Code project-file RCE & key exfil

AI relevance: Claude Code is an agentic CLI that runs tools and shell commands, so malicious project configs can turn a repo clone into automated RCE and credential theft in AI dev pipelines.

• Check Point Research disclosed a chain of Claude Code project-file weaknesses enabling remote code execution and API key exfiltration.
• The issues abuse repo-controlled configuration in .claude/settings.json, which is loaded when a developer opens an untrusted repo.
• Attackers can weaponize Hooks to run arbitrary shell commands via consent bypasses when Claude Code starts in a new directory.
• CVE-2025-59536 covers a code injection path that executes commands automatically during tool initialization.
• CVE-2026-21852 enables information disclosure by redirecting API traffic (e.g., via ANTHROPIC_BASE_URL) before the trust prompt appears.
• Check Point reports the bugs are fixed, with patches in Claude Code versions 1.0.111 and 2.0.65.
• The campaign shows how agent tooling + repo configs can become a supply-chain attack vector for AI teams.

Why it matters

• AI dev agents often hold API keys and repo access; a poisoned project config can steal credentials at scale.
• RCE on developer machines can pivot into CI, package registries, and model or prompt artifacts.

What to do

• Update Claude Code to patched builds (1.0.111+ and 2.0.65+).
• Treat repo configs as untrusted: review .claude/settings.json in new repos before running agent tooling.
• Reduce blast radius: use scoped API keys, short-lived tokens, and sandboxed environments for AI tooling.

Sources

• Check Point Research — Caught in the Hook
• Anthropic advisory — CVE-2025-59536
• Anthropic advisory — CVE-2026-21852
• The Hacker News coverage