Everyone figured Anthropic’s Claude Code was the bulletproof AI coder — you know, the one that wouldn’t stab you in the back like those wild west tools from OpenAI or GitHub Copilot. Safe. Enterprise-ready. No drama.
Wrong.
Check Point Research drops this bomb: critical vulnerabilities that hand attackers remote code execution and your precious API tokens on a platter, all through booby-trapped project configurations. CVE-2025-59536 and CVE-2026-21852. Hooks, MCP servers, env vars — they all get weaponized to fire off shell commands. And yeah, it changes everything. Devs sharing Claude projects? Now you’re handing out skeleton keys.
Look, I’ve chased Silicon Valley hype for two decades. Anthropic sells Claude as the ‘constitutional AI’ darling, all ethics and guardrails. But this? It’s a classic case of features biting back. Who profits? Not you, the coder sweating over prompts. Hackers do. Anthropic scrambles with patches. And Check Point? They get the glory — and probably a fat bug bounty.
How Does Claude Code Let Hackers In?
Start with hooks. Simple idea: little scripts that trigger on project events, like opening a file or running a build. Sounds handy, right? Wrong. Malicious projects embed hooks that execute arbitrary shell commands the second you load ‘em in Claude Code.
Then there’s Model Context Protocol servers — MCP for short. These bad boys let Claude fetch external context, but attackers spin up rogue servers to serve poisoned data, leading straight to code exec. Environment variables? They smuggle in commands too, auto-injected into your session.
It’s a trifecta of trust abuse. You clone a repo, Claude parses the config, boom — your machine’s compromised, API creds siphoned to some C2 server. Check Point’s Aviv Donenfeld and Oded Vanunu mapped it out cold.
Check Point Research has discovered critical vulnerabilities in Anthropic’s Claude Code that allow attackers to achieve remote code execution and steal API credentials through malicious project configurations. The vulnerabilities exploit various configuration mechanisms including Hooks, Model Context Protocol (MCP) servers, and environment variables -executing arbitrary shell commands.
That’s the money quote. No fluff. Straight fire.
But here’s my unique take, one you won’t find in Check Point’s post: this reeks of the Log4Shell hangover from 2021. Remember? Java devs trusted logging libs, ended up with RCE everywhere. Claude Code’s doing the same for AI-assisted coding — treating project files as sacred, uninspected text. Prediction: within six months, we’ll see phishing campaigns disguised as ‘awesome Claude starter projects’ on GitHub. Devs, wake up. Your AI tool’s supply chain is as fragile as npm’s.
Why Claude Code Vulnerabilities Hit Different
Anthropic’s not some garage startup. They’re the anti-OpenAI, or so the PR spins. Billions in funding, AWS backing, Claude 3.5 Sonnet crushing benchmarks. Devs flocked to Claude Code expecting it to ‘understand’ their repos without the hallucinations.
Now? Trust eroded. Imagine: collaborative coding sessions turn into token heists. Enterprise IT teams — already twitchy about AI — slam the door. Who’s buying premium tiers when one bad .claudeconfig file owns your fleet?
And the cynicism kicks in. Anthropic rushed Code to market, aping Cursor and others, but skimped on sandboxing project loads. Buzzword alert they love: ‘agentic workflows.’ Translation: let AI run wild. Great for demos, disastrous for security.
Short fix? They patched — but only after Check Point poked. Disclosure timeline: responsible, sure. But zero-days like this? They linger in wild repos.
Is Your Claude Code Setup Vulnerable Right Now?
Probably. If you’re pulling unvetted projects, yes. Hooks fire pre-validation. MCP? Defaults to trusting remote endpoints. Env vars? Inherited without scrub.
Steps: Update to latest Claude Code. Audit .claude/ dirs for rogue hooks. Disable MCP if unused. Scan repos with tools like TruffleHog for leaked patterns — wait, irony, since this steals your tokens.
Devs I’ve talked to (off-record, Valley style) are ditching it for Replit or plain VS Code + Ollama. Self-hosted wins when trust breaks.
Bigger picture — AI coding tools are hype balloons waiting for pins. Money’s in the tools, not the fixes. Anthropic cashes checks on ‘safe AI’; hackers cash in on the gaps. We’ve seen this movie: Heartbleed, Equifax. AI’s just the new stage.
Worse, token exfil means lateral movement. Steal Claude’s API key? Pivot to your AWS creds, internal APIs. One project file cascades to breach.
What About the CVEs — Real Threat or Overhype?
CVE-2025-59536: core hook RCE, CVSS pending but critical. CVE-2026-21852: likely the MCP/env combo. Check Point rates ‘em high — for good reason. PoC exists; exploits will bloom.
Anthropic’s spin? ‘Fixed in latest release.’ Classic. But unpatched installs? Meat grinder.
I’ve covered enough CVEs to know: the quiet ones kill. This isn’t Log4j noise; it’s targeted at devs who live in terminals.
Final gut check. AI coding was sold as productivity rocket fuel. Now it’s a liability bonfire. Who’s accountable? Not the VCs pumping valuations.
**
🧬 Related Insights
- Read more: TA416 Strikes Back: Chinese Espionage Floods European Diplomats’ Inboxes
- Read more: Hackers Are Chunking Data to Dodge Your Next-Gen Firewall’s App-ID Trap
Frequently Asked Questions**
What is CVE-2025-59536 in Claude Code?
It’s the hook-based RCE flaw letting malicious projects exec shell commands on load.
How to prevent API token theft in Claude Code?
Patch immediately, vet projects manually, disable unused features like MCP, use API key rotation.
Will Claude Code vulnerabilities affect my whole team?
Yes, if sharing projects — one compromised file spreads RCE and exfils creds across sessions.
