Check Point researchers discovered serious vulnerabilities in Anthropic’s Claude Code tool that could have allowed attackers to silently gain control of a developer’s computer.
The security firm began analyzing the AI-powered coding assistant Claude Code last year, finding ways to abuse its capabilities for malicious purposes using specially crafted configuration files.
Anthropic has since implemented patches and mitigations for the vulnerabilities.
Claude Code configuration files enable the customization of model preferences, tool integrations, permissions, and automated hooks to streamline development workflows and ensure consistent team behavior.
These configuration files can be modified by anyone who has access to the repository and they are automatically copied when a repository is cloned.
The hooks defined in these configuration files control the execution of user commands at specified points. Check Point researchers discovered that an attacker can add hooks that trigger the execution of arbitrary commands on developers’ devices.
While Claude requested explicit approval from the user to execute other files within a project, it did not request permission to run hook commands, automatically running them when the project was initialized.
The researchers also looked at MCP integrations designed to enable the use of additional services when a project is opened. They found that configuration settings could be used to override user approval for external actions, thus bypassing consent mechanisms.
The third major issue identified by Check Point experts is related to the API key used by Claude Code to communicate with Anthropic services. Manipulating the configuration settings could have allowed an attacker to redirect API traffic to the attacker’s server, enabling them to exfiltrate API keys and capture credentials.
“Unlike the code execution vulnerabilities that compromised a single developer’s machine, a stolen API key may provide access to an entire team’s shared resources,” Check Point warned.
[ Read: New AI Vulnerability Scanner Sends Cybersecurity Shares Plunging ]
An attacker could have abused these configuration files by getting the targeted user to clone and load a malicious code repository. Attacks could also have been conducted by malicious insiders or via malicious pull requests submitted to the targeted project.
The vulnerabilities were reported to Anthropic over several months, from July to October 2025, and the AI firm rolled out fixes shortly after each report.
The vendor has implemented additional warnings and user confirmation for potentially dangerous actions.
Related: Autonomous AI Agents Provide New Class of Supply Chain Attack
Related: Vibe Coding Tested: AI Agents Nail SQLi but Fail Miserably on Security Controls
Related: Anthropic Says Claude AI Powered 90% of Chinese Espionage Campaign
Related: Claude AI APIs Can Be Abused for Data Exfiltration
