Three critical vulnerabilities found in Anthropic’s Claude Code agentic AI developer tool could be exploited simply by cloning and opening an untrusted project and lead to system takeover, stolen API keys, and credential theft, according to security researchers with Check Point.

The security flaws, which Anthropic fixed last year and last month after the researchers reported them to the AI vendor, are the latest reminders of the security threats that can come from the rapid development and adoption of AI coding assistants.

“These vulnerabilities reflect a broader structural shift in how software supply chains operate,” Check Point researchers Aviv Donenfeld and Oded Vanunu wrote. “Modern development platforms increasingly rely on repository-based configuration files to automate workflows and streamline collaboration. Traditionally, these files were treated as passive metadata – not as execution logic.”

That said, AI tools are changing the scenario, expanding their ability to autonomously execute commands, initialize external integrations, and initiate network communication. With this, configuration files become part of the execution layer and influence system behavior.

“This fundamentally alters the threat model,” Donenfeld and Vanunu wrote. “The risk is no longer limited to running untrusted code – it now extends to opening untrusted projects. In AI-driven development environments, the supply chain begins not only with source code, but with the automation layers surrounding it.”

Configuration Injection Flaws

In this case, the researchers found that bad actors could abuse Claude Hooks – user-defined shell commands or scripts that can execute automatically – Model Context Protocol (MCP) integrations, and other variables and execute arbitrary shell commands and steal API keys when developers cloned or opened untrusted projects.

“In effect, configuration files intended to streamline collaboration became active execution paths, introducing a new attack vector within the AI-powered development layer now embedded in the enterprise supply chain, raising a broader question: has the enterprise threat model evolved to match this new reality?” they wrote.

Two of the vulnerabilities are configuration injection flaws – tracked as CVE-2025-59536 – with severity scores of 8.7 out of 10. One comes from the automation capabilities in Claude Code that lead to predefined actions running when a session begins. Hackers can abuse this capability via Claude Hooks to run arbitrary shell commands automatically by simply launching a project.

The other flaw allows for the automatic execution of arbitrary shell commands when a developer starts Claude Code in an untrusted repository. As with the previous vulnerability, commands are executed without user consent.

“Although warning prompts were designed to require explicit user approval, researchers found that repository-controlled configuration settings could override these safeguards,” Donenfeld and Vanunu wrote in their report.

API Keys at Risk

Through the third vulnerability – tracked as CVE-2026-21852 and with a 5.3 severity score – a bad actor could manipulate a repository-controlled configuration setting and steal data, including API keys. The researchers noted that through an Anthropic API feature called Workspaces – which enables multiple keys to share access to project files stored in the cloud – an attacker also could access shared files, modify or delete data in the cloud, upload malicious content, or generate unexpected API costs.

“What stands out in the Check Point research is the pattern it represents,” Noma Security CISO Diana Kelley said. “AI-enabled developer tools are no longer passive assistants. In this case, repository-controlled configuration could result in code being executed when a project is opened, before the user’s trust decision is properly enforced. That turns a routine workflow step into a potential execution event inside a developer’s environment.”

Security and AI Coding Tools

Security risks with AI developer tools continue to be a concern. Researchers with Palo Alto Networks’ Unit 42 threat intelligence team warned that as the rapid proliferation and adoption of such tools accelerates, risks can be overlooked.

“LLM-based coding assistants have become integral parts of modern development workflows,” they wrote. “These tools leverage natural language processing to understand developer intent, generate code snippets and provide real-time suggestions, potentially reducing the time and effort spent on manual coding. Some of these tools have gained attention for their deep integration with existing codebases and their ability to assist developers in navigating complex projects.”

That said, such coding assistants “are also prone to potential security concerns that could impact development processes,” they wrote. “The weaknesses we identified are likely to be present in a variety of IDEs, versions, models and even different products that use LLMs as coding assistants.”

Swift Response is Important

David Brumley, chief AI and science officer at Bugcrowd, noted that developers’ workflows, tools, and environments are getting a lot of attention now because they have so much access and move so fast. Given that, he gave kudos to Anthropic for being so quick to make fixes when problems arise.

“What I’m most excited about is the attention and focus that Claude Code is getting,” Brumley said, adding that Anthropic is “changing how software is written, and they welcome the feedback. Anthropic will continue to be an exemplar of how to receive research submissions, validate, and fix them. Their work is a rising tide that lifts all boats.”