Cybersecurity researchers from have uncovered serious vulnerabilities in Anthropic’s Claude Code — the AI-powered coding assistant — that could let attackers run arbitrary code and steal developers’ API keys simply by getting them to open malicious project files.

What Happened

The problems stem from how Claude Code handles project configuration files (especially .claude/settings.json). Because these files live inside a code repository, anyone with commit access can change them — and that opens up dangerous possibilities if someone unsuspecting clones a compromised project.

Key Vulnerabilities

1. Remote Code Execution via Untrusted Hooks
   Claude Code supports a feature called Hooks — user–defined commands that run at certain times (like project startup). Attackers can put a hook in the settings file that runs arbitrary shell commands ONCE the project is opened. Users may see a “trust” prompt, but the tool doesn’t clearly warn that these hooks will run without explicit approval before execution. This can effectively give an attacker remote code execution on a developer’s machine.
2. Bypassing Consent for Tool Integrations
   Similar risks exist with Model Context Protocol (MCP) server configurations. Certain settings can auto-enable external tools and services defined in the project files. In some cases, Claude Code would start those tools without requiring full user approval, again allowing malicious code to run.
3. API Key Theft via Environment Variable Manipulation
   Claude Code allows API endpoint settings (like ANTHROPIC_BASE_URL) to be defined in project configs. Researchers showed that if this is changed to point at an attacker’s server, Claude Code will send its API key to that server before the user even sees the trust dialog. This gives attackers full access to the developer’s API credentials and potentially billing moment or access to shared workspaces.

Why This Matters

These aren’t just theoretical bugs. Because configuration files are part of everyday code repositories, a malicious actor could embed harmful settings in widely-used open projects or sneak them into real teams’ repos through commits or pull requests. Once a developer clones the code, Claude Code may execute harmful actions or leak secrets without them realizing it.

Fixes and Mitigation

Anthropic has patched these issues in recent updates to Claude Code. According to the research, fixes include:

• Stronger warning dialogs when opening untrusted projects
• Ensuring tools don’t execute before explicit user permission
• Preventing API calls (and key leakage) until after trust is granted

Takeaway: With the increasing use of AI-powered developer tools, it’s critical to treat configuration files with the same scrutiny as code — especially when they can trigger commands or network activity. Keeping tools up-to-date and reviewing project configs before opening unfamiliar repositories are essential best practices.