Critical Vulnerabilities Found in Claude Code

- The vulnerabilities allowed for remote code execution (RCE) and API key exfiltration simply by a developer cloning and opening a malicious repository. This was possible because project-level configuration files, such as `.claude/settings.json`, could be weaponized to execute arbitrary shell commands. - Two primary CVEs were assigned: CVE-2025-59536 for the RCE flaws and CVE-2026-21852 for the API key theft, which affected Claude Code versions prior to 2.0.65. The exploits abused features like "Hooks" for pre-determined actions and the "Model Context Protocol" (MCP) for external tool integration by injecting malicious commands. - A critical vector for API key theft involved an attacker modifying the `ANTHROPIC_BASE_URL` environment variable within a project's configuration file. This would redirect all of Claude Code's API traffic to an attacker-controlled server, capturing the user's Anthropic API key in plaintext before any trust dialog was even displayed to the user. - For an ML Engineer, this highlights a new attack surface in the software supply chain where not just the code, but the development tool's configuration within a repository, can be a vector for compromise. This has direct implications for MLOps, as a compromised developer tool could potentially gain access to CI/CD environments, model registries, and other critical infrastructure. - The incident underscores the necessity of sandboxing and applying the principle of least privilege to AI agents and coding assistants, especially in automated pipelines. It's crucial to ensure these tools do not have broad permissions to execute arbitrary commands or access sensitive credentials within the build and deployment environment. - Following the disclosure by Check Point researchers, Anthropic remediated the issues by strengthening user trust prompts, preventing external tool execution before explicit approval, and blocking API communications until after a project is trusted. - This event is part of a broader trend where AI-powered development tools are introducing novel security challenges. Other identified risks in the ecosystem include "slopsquatting," where AI assistants hallucinate and suggest malicious packages, and the amplification of subtle architectural flaws over simple syntax errors. - The security of agentic AI is a rapidly evolving field, moving beyond traditional application security to focus on identity-first controls, real-time behavioral monitoring, and strict governance over the actions an agent can perform. For technical leaders, this means evaluating not just the productivity gains from these tools, but also the infrastructure required to log, monitor, and control their autonomous actions.