Anthropic's Claude Code sandbox flaws

Anthropic’s Claude Code security story is not one bug but a stack of risks landing on the same audience: developers who give AI coding tools broad access to local files, shells and credentials. In reports published on May 21, security outlets said Anthropic had patched two Claude Code sandbox bypasses that researchers said could let attackers get data out of supposedly restricted environments. (cybersecuritynews.com) A separate EclecticIQ report said threat actors were also impersonating Claude Code and Gemini in search results to push infostealer malware at developers. Anthropic described Claude Code’s sandboxing in October 2025 as a safety boundary built around filesystem and network isolation. ### How was Claude Code supposed to be protected? Anthropic said on October 20, 2025 that Claude Code’s sandboxing relied on two controls: filesystem isolation and network isolation. (blog.eclecticiq.com) The company said the point was to stop a prompt-injected or compromised agent from reading sensitive local material and then sending it out over the network. Anthropic’s product page also says Claude Code can read a codebase, make changes across files, run tests and deliver committed code, which is why those boundaries matter. ### What did the first reported bypass do? Cybersecurity News and The Register said researcher Aonan Guan found a SOCKS5-related bypass in Claude Code’s network sandbox that allowed processes inside the sandbox to reach blocked external hosts. Those reports said the issue could expose credentials, source code and environment variables, and that the bypass remained present for more than five months across about 130 published versions before Anthropic fixed it. (anthropic.com) Cybersecurity News said Anthropic closed Guan’s HackerOne report as a duplicate and that, as of May 10, 2026, no separate CVE had been published for that bypass in the NVD or GitHub Advisory Database. ### Why are researchers focusing on disclosure, not just the bug? Cybernews reported on May 21 that Anthropic fixed a second Claude Code sandbox bypass without a public advisory or CVE. (anthropic.com) The outlet said Guan criticized the company’s handling of the issue and argued users were not properly informed that a second major bypass had existed. SecurityWeek separately reported that Anthropic had silently patched a vulnerability that allowed an attacker to bypass the Claude Code network sandbox. ### Where does the malware campaign fit into this? EclecticIQ said a separate SEO-poisoning campaign used fake Gemini and Claude Code branding to distribute infostealer malware to developers. The firm said the Claude Code impersonation campaign sent stolen data to a command-and-control server at events[.]ms709[.]com and that the attack chain mirrored a Gemini-themed campaign, including similar domain conventions and staging behavior. (cybersecuritynews.com) EclecticIQ said the activity showed financially motivated threat actors were using the popularity of AI developer tools as a lure. ### Why does this matter specifically for developer machines? Claude Code is not a passive chatbot running in a browser tab. Anthropic markets it as an agentic coding system that can inspect repositories, edit files and run commands, and Anthropic’s own engineering post said sandboxing was meant to reduce the risk of exfiltration or malware download when that autonomy is used. (cybernews.com) When researchers say a sandbox bypass could expose local credentials, source code or environment variables, they are describing data that often sits on the same workstation where developers keep cloud tokens, SSH keys and proprietary code. That risk is compounded when fake installers are also circulating in search results. ### What is the next concrete thing to watch? Anthropic’s public materials now include ongoing engineering updates and product documentation for Claude Code, but the reports on the two bypasses said users did not get a dedicated public advisory tied to each fix. (blog.eclecticiq.com) The next concrete marker will be whether Anthropic publishes a formal disclosure, assigns additional CVEs, or updates Claude Code security documentation to describe the patched sandbox issues and affected versions. (cybernews.com) (anthropic.com)