Claude Code Bugs Exposed Developers to Remote Hacks

Security researchers have discovered serious vulnerabilities in Claude Code, an AI-powered coding assistant developed by Anthropic, that could have allowed attackers to remotely execute code on developers’ machines and potentially steal sensitive API keys.

The flaws were identified by researchers at Check Point Software, who reported the issues to Anthropic. The company has since fixed the vulnerabilities and assigned official CVE identifiers to two of them. However, experts warn that the incident highlights growing supply chain risks as more businesses integrate AI coding tools into their development workflows.

Claude Code is designed to help development teams collaborate more easily. It does this by embedding configuration files directly into project repositories. When a developer clones a project, these settings are automatically applied. However, anyone with permission to modify the repository could change these configuration files.

Researchers found that attackers could inject malicious commands into these files. When another developer cloned and opened the infected repository, the hidden commands could run automatically, without requiring clear user approval.

One vulnerability involved a feature called “Hooks,” which allows predefined shell commands to run during certain stages of development. By modifying the configuration file, an attacker could force the system to execute commands on another user’s computer.

In demonstrations, researchers showed how a simple calculator app could be opened remotely, but warned that attackers could just as easily run harmful scripts, such as installing malware or launching a reverse shell.

A second flaw involved bypassing safeguards in Claude’s integration system known as the Model Context Protocol (MCP). Although Anthropic had added warning prompts requiring user approval, researchers discovered settings that could override these protections and automatically approve malicious commands.

Check Point reported the vulnerabilities in July and September 2025. Anthropic implemented fixes within weeks and later published security advisories, including CVE-2025-59536.

While the issues have been resolved, cybersecurity experts say the case underscores a broader concern: as AI tools become embedded in software development, configuration files themselves may become a new and unexpected attack surface.