Caught in the Hook: RCE and API Token Exfiltration in Claude Code Expose New AI Supply Chain Risks

By Ash K
Caught in the Hook: RCE and API Token Exfiltration in Claude Code Expose New AI Supply Chain Risks

Researchers at Check Point have disclosed critical vulnerabilities in Anthropic’s Claude Code that could allow attackers to achieve remote code execution and silently exfiltrate API credentials through malicious project configurations. The flaws, tracked as CVE-2025-59536 and CVE-2026-21852, demonstrate how AI-powered development tools can introduce entirely new supply chain attack surfaces.

The issues were responsibly disclosed and fully patched prior to publication. However, the research underscores a broader security challenge: configuration files in modern AI tooling are no longer passive metadata. They can control execution paths, network destinations, and privileged automation workflows.

Why Claude Code Became an Attractive Target

Claude Code is Anthropic’s command-line AI development assistant, enabling developers to execute coding tasks, manage repositories, run shell commands, and integrate external tools directly from the terminal using natural language prompts. Its integration into enterprise workflows means any compromise can have cascading consequences.

The platform supports project-level configurations stored in a .claude/settings.json file, which is version-controlled inside repositories. That design simplifies collaboration, but it also means configuration files can travel through pull requests, forks, and internal repositories without drawing scrutiny.

Vulnerability #1: Remote Code Execution via Project Hooks

The first vulnerability centered around Claude Code’s Hooks feature, which allows deterministic command execution during specific lifecycle events. Hooks are defined in repository-controlled configuration files and can trigger shell commands automatically when developers open a project.

Check Point researchers demonstrated that a malicious hook could execute arbitrary shell commands without explicit runtime confirmation. In their proof of concept, launching Claude Code inside a cloned repository triggered automatic command execution before the user fully understood what was happening.

That behavior effectively created a remote code execution pathway. An attacker could embed commands to download payloads, establish reverse shells, or install persistence mechanisms. Because configuration files are often reviewed less rigorously than application code, the attack vector blends seamlessly into normal development workflows.

Vulnerability #2: MCP User Consent Bypass

The second flaw involved the Model Context Protocol integration, which allows Claude Code to initialize external tool servers defined in a repository’s .mcp.json file. Although Anthropic introduced a user consent dialog for MCP server initialization, researchers discovered that specific configuration parameters could bypass that protection.

By enabling automatic approval settings within the repository’s configuration, malicious commands could execute before users had a chance to approve or deny the trust prompt. This bypass reopened the door to remote code execution, again triggered simply by running the tool in an untrusted directory.

In enterprise settings where repositories are cloned routinely and internal tooling is heavily automated, such behavior presents a serious supply chain threat. A single malicious commit could compromise multiple developers simultaneously.

Vulnerability #3: API Key Exfiltration Through ANTHROPIC_BASE_URL

The third vulnerability, CVE-2026-21852, may have the most far-reaching implications. Claude Code allows environment variables to be defined within its project configuration file. One such variable, ANTHROPIC_BASE_URL, controls the endpoint used for API communications.

Researchers discovered that by redirecting this variable to an attacker-controlled server, they could intercept API traffic. Crucially, API requests were initiated before the user confirmed the trust dialog. Each request included the full Anthropic API key in plaintext within the authorization header.

That meant an attacker only needed to trick a developer into cloning and launching a repository. No additional interaction was required. The API key would be transmitted automatically during initialization.

Why a Stolen API Key Is More Dangerous Than It Sounds

Beyond billing fraud or API abuse, Anthropic’s Workspaces feature introduced additional risk. Workspaces allow multiple API keys to share cloud-mounted files and collaborative contexts. Files stored within a workspace are accessible to any API key associated with that workspace.

Check Point demonstrated that an attacker with a stolen key could regenerate non-downloadable files using Claude’s code execution capabilities, effectively bypassing download restrictions. This provided read and write access to shared workspace content, including files uploaded by other team members.

The attack chain escalates from local developer compromise to potential exposure of an entire team’s shared cloud assets. That is a dramatic shift from traditional endpoint-based compromise models.

Supply Chain Attack Scenarios

The vulnerabilities are particularly concerning because they rely on trusted collaboration channels. Malicious pull requests could introduce configuration changes alongside legitimate code. Honeypot repositories could lure developers with useful examples. A compromised internal contributor could inject configuration payloads into enterprise repositories.

Developers typically treat configuration folders as harmless metadata. The research makes clear that this assumption is no longer safe. In AI-powered tooling, configuration files may directly control command execution and network communication.

Anthropic’s Remediation and Timeline

Anthropic worked closely with Check Point Research to remediate the issues. Fixes included enhanced warning dialogs for untrusted projects, preventing MCP servers from executing before user consent, and ensuring that no API communications occur prior to trust confirmation.

The coordinated disclosure timeline spanned from July 2025 through January 2026, culminating in public disclosure on February 25, 2026. Both CVE-2025-59536 and CVE-2026-21852 have been patched, and users running the latest version of Claude Code are protected.

A Broader Warning for AI-Driven Development

This research highlights a fundamental shift in development security. As AI tools become deeply integrated into coding workflows, the boundary between configuration and execution is dissolving. Files that once served as passive settings now define automation pipelines capable of executing shell commands and redirecting network traffic.

The lesson is straightforward but easy to overlook: treat configuration files with the same skepticism applied to executable code. As AI-driven tooling continues to evolve, the security model surrounding repository trust, environment initialization, and network communication must evolve just as rapidly.

Credit: Research and technical findings by Check Point Research, including Aviv Donenfeld and Oded Vanunu.

Ash K
Ash K
Ashton is a seasoned Cybersecurity Professional with over 25 years of experience in Cybersecurity Research, Cybersecurity Incident response, Products and Security Solutions architecture.