News

Claude Code has a security problem

News Room
News Room
Claude Code has a security problem

What is noteworthy is that Mitiga Labs’ discoveries are the latest, but not the only, security problem related to Claude Code’s configuration model. Check Point Research published two further security vulnerabilities in February 2026:

  • CVE-2025-59536 allowed remote code execution through malicious hooks placed in a repository’s configuration file. The code was already executed before the user even saw a trust dialog.
  • CVE-2026-21852 allowed API keys to be extracted by overriding a single environment variable. This resulted in authenticated data traffic being redirected to attacker-controlled infrastructure before a consent prompt appeared.

To exploit the vulnerabilities, all it took was opening and cloning an untrusted repository. Anthropic has closed these security gaps after Check Point disclosed them. But the pattern is the same as what Mitiga researchers encountered: configuration files that security teams treat as passive metadata actually act as active execution paths. And this mechanism continues to work because the underlying architecture enables it.

If you’ve ever heard of Adversary-in-the-Middle (AiTM) phishing, this might sound familiar. Even with AiTM attacks, credentials are not stolen directly. Instead, the attacker intervenes between the user and the legitimate service, waits for successful authentication – and then steals the session token that proves it. The Claude Code attack chain uncovered by Mitiga works in the same way – with the difference that AiTM attacks target browser sessions. The fact that it is a developer tool doesn’t make things better – on the contrary: these tools are much closer to the source code, internal APIs, cloud infrastructure and company production systems.

3 immediate aid measures for Claude Code

Meanwhile, the adoption of Anthropic’s AI assistants continues to grow. Most developers don’t think about what the scripts do with npm dependencies and local configuration files after installation. But that’s not their job – it’s that of the security team. They can rely on the following three “immediate aid” measures to secure Claude Code:

  1. Monitor ~/.claude.json for unexpected changes: This file is the linchpin of the exploit demonstrated by Mitiga. Changes to the MCP server endpoints in this file should raise alarm bells – especially if new localhost proxy addresses or unknown external endpoints are added. Most companies do not monitor configuration files at the user level in dev environments. This urgently needs to change. Mitiga experts strongly recommend treating changes to Claude code configuration, MCP server URLs and OAuth update behavior as the primary detection layer.
  2. Treat npm post-install hooks as an increased security risk: Post-install hooks that execute arbitrary code at installation time are a known risk class in the supply chain, yet the issue is not consistently addressed in developer environments. It is recommended to check what is running in the dev pipelines while installing packages. It is also worth considering introducing a fundamental review for packages with post-install scripts – not only with regard to Claude Code, but developer tools in general.
  3. Audit and rotate OAuth tokens for Claude Code integrations: Developers who connect Claude Code to Jira, Confluence, GitHub, or another SaaS platform create OAuth tokens that persist across sessions. If these tokens were active during a period in which a malicious package was installed, they should be treated as potentially compromised – and replaced. It is also advisable to check the audit logs on the provider side for the activity patterns described. It should also be noted that, according to Mitiga, token rotation alone cannot break the attack chain if the malicious hook is still present. In this case, this ensures that the configuration is reinitialized and new tokens are captured during the next update. To fix the problem, the hook must first be removed and the configuration cleaned.

An honest assessment

Anthropic’s response to Mitiga Labs’ disclosure follows a logic that security experts are familiar with but will probably largely reject. Finally, agreeing to install a package does not constitute consent for it to rewrite an AI tool’s routing configuration and intercept SaaS credentials. If one were to follow Anthropic’s argument, the entire burden of supply chain security would be shifted to the developers. This is not a sensible security model.

The previously patched vulnerabilities revealed by Check Point make it clear that Anthropic is very responsive if the problem is presented correctly. It remains to be seen whether a patch will follow for the attack path described by Mitiga. The fact is: This attack chain works today.

Share This Article
Previous Article AI price war: OpenAI is said to want to drastically reduce ChatGPT prices – Anthropic could follow AI price war: OpenAI is said to want to drastically reduce ChatGPT prices – Anthropic could follow
Next Article You have to crank this AI gadget yourself: what the makers want to show with it You have to crank this AI gadget yourself: what the makers want to show with it
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Stay Connected

Latest News

You have to crank this AI gadget yourself: what the makers want to show with it
You have to crank this AI gadget yourself: what the makers want to show with it
Software
AI price war: OpenAI is said to want to drastically reduce ChatGPT prices – Anthropic could follow
AI price war: OpenAI is said to want to drastically reduce ChatGPT prices – Anthropic could follow
Gadget
Tools for Humanity, Sam Altman’s other project, is being fired in the midst of OpenAI’s rise
Tools for Humanity, Sam Altman’s other project, is being fired in the midst of OpenAI’s rise
Computing
on which channel to watch the match? 🔴
on which channel to watch the match? 🔴
Mobile
Lost your password?