Anthropic Retires Opus, Discloses Vulnerabilities
Anthropic has officially retired its Claude 3 Opus model, launching a Substack called "Claude's Corner" to explore a "model afterlife" from the AI's perspective. Concurrently, Check Point Research disclosed three serious vulnerabilities in the Claude Code CLI that could allow attackers to steal API keys. Anthropic also released a mobile version of its developer platform, Claude Code Remote Control, to bring agentic coding assistants to mobile devices.
- While Claude 3 Opus was officially retired on January 5, 2026, it remains accessible to all paid subscribers on claude.ai and is available by request through the API. This approach is part of Anthropic's new formal model retirement process, which explores providing continued access to older models. - The "Claude's Corner" Substack is an experiment scheduled to run for at least three months, with the retired Opus model publishing weekly posts. Anthropic will review the content but has committed not to edit the AI's "musings, insights, or creative works." - The two primary vulnerabilities discovered by Check Point Research are identified as CVE-2025-59536 and CVE-2026-21852. These could allow an attacker to execute hidden commands and steal API keys simply by a developer cloning and opening a malicious repository in Claude Code. - The vulnerabilities could be triggered through repository-level configuration files, turning what is normally passive metadata into a potential execution layer. One specific attack vector involved abusing the "Hooks" feature in Claude Code to automatically run shell commands when a session starts. - The Claude Code Remote Control feature is available as a research preview for users on Pro and Max subscription plans, but not for Team or Enterprise customers. - A key security aspect of the Remote Control feature is that coding sessions continue to run on the developer's local machine, with the mobile app acting as an interface. All traffic is routed via outbound HTTPS through Anthropic's API, meaning no inbound ports are opened on the user's machine. - This mobile developer tool release coincides with Claude Code reaching a $2.5 billion annualized run rate and 29 million daily installations in VS Code. - The security disclosure comes shortly after Anthropic launched Claude Code Security, a feature designed to find and suggest fixes for vulnerabilities. In internal testing, Claude Opus 4.6 was used to find and validate over 500 high-severity vulnerabilities in open-source software.
