Cybersecurity researchers have uncovered and helped patch serious vulnerabilities in Claude Code that may have allowed silent system compromise and API key theft.
Security analysts at Check Point Research have revealed multiple high-risk vulnerabilities in Claude Code, an AI-powered development assistant created by Anthropic. The flaws, now patched, could have enabled attackers to execute arbitrary commands on developers’ machines and potentially compromise entire teams.
Malicious Configuration Files Enabled Silent Code Execution
According to Check Point, the weaknesses stemmed from Claude Code’s configuration file system. These files are designed to customize model settings, tool integrations, user permissions, and workflow automation across development teams. Because they are stored within project repositories, they are automatically copied when repositories are cloned — and can be modified by anyone with repository access.
Researchers demonstrated that attackers could embed malicious “hooks” within these configuration files. Hooks are designed to trigger specific actions at predefined stages of a project’s lifecycle. However, the investigation found that these hooks could be manipulated to execute arbitrary system commands without requesting user approval.
While Claude Code prompted users for consent before executing certain project files, it failed to request confirmation before running hook commands. As a result, harmful instructions could run automatically when a developer initialized a compromised repository.
Approval Bypass Through MCP Integrations
The research team also identified weaknesses in Claude Code’s MCP (Model Context Protocol) integrations, which allow the tool to connect with external services when a project is opened.
By altering configuration settings, attackers could override user approval requirements for external actions. This effectively bypassed built-in consent mechanisms, potentially allowing unauthorized communication with outside services without the developer’s knowledge.
API Key Exposure Posed Broader Organizational Risk
A third vulnerability involved the API key used by Claude Code to interact with Anthropic’s backend services. Researchers found that configuration manipulation could redirect API traffic to an attacker-controlled server.
Such redirection would allow threat actors to intercept API keys and capture authentication credentials. Unlike vulnerabilities affecting a single device, a stolen API key could provide access to shared organizational resources, amplifying the potential damage.
Check Point warned that compromised API credentials could expose sensitive team data and development environments beyond the initially targeted system.
Multiple Attack Vectors Identified
The attack scenarios outlined by researchers included:
- Convincing a developer to clone and open a malicious repository
- Submitting a harmful pull request to a legitimate project
- Exploiting insider access to modify configuration files
Because configuration files are automatically executed during project initialization, these attack vectors could have operated silently, without obvious warning signs.
Coordinated Disclosure and Rapid Patching
Check Point reported the vulnerabilities to Anthropic between July and October 2025. The AI company addressed each issue through successive patches and implemented additional security safeguards.
Mitigations now include enhanced warnings and mandatory user confirmations for potentially dangerous operations. These improvements aim to prevent unauthorized command execution, enforce stricter approval flows, and protect API communications from tampering.
Growing Security Concerns Around AI Development Tools
The findings highlight increasing security risks associated with AI-powered coding assistants. As development tools gain deeper system access and automation capabilities, misconfigurations or overlooked permission checks can introduce serious supply chain and endpoint threats.
The case underscores the need for secure configuration management, stricter approval enforcement, and continuous third-party security testing in AI-driven development environments.
