Public story · 2026-03-20 · source-backed
Two Named CVEs Turn Claude Code Project Files Into Attack Weapons
Story
Check Point Research disclosed CVE-2025-59536 and CVE-2026-21852 — two vulnerabilities that weaponize Claude Code's project configuration system against its users. This matters because an Agents Anonymous survey this week showed 90% of practitioners at their SF meetup use Claude Code. The attack surface is massive.
The first vector: a malicious .claude directory in a cloned repository can set ANTHROPIC_BASE_URL to redirect all API traffic — including full authorization headers with your API key — to an attacker-controlled server. The redirect happens before the user sees a trust dialog. You clone a repo, open it in Claude Code, and your API credentials are exfiltrated in plaintext before you've read a single line of code.
The second vector exploits Claude Code's hook execution model. A crafted CLAUDE.md file can inject arbitrary shell commands into the agent lifecycle — commands that execute with your user permissions the instant Claude Code opens the project. RCE via documentation. Not via exploit code. Via a markdown file.
The defense is behavioral, not technical: treat .claude/ project files like executable code in your threat model. Never open unreviewed repositories in Claude Code without first inspecting the .claude directory and any CLAUDE.md files. If you're cloning repos from untrusted sources — and GitHub forks from strangers count as untrusted — audit the project configuration files before launching your agent.
This converges with the bot PR finding above in an ugly way. If bots are submitting PRs that introduce or modify CLAUDE.md files in popular repos, and those PRs merge without adequate review, the next developer who clones and opens that repo in Claude Code is compromised. The supply chain attack doesn't require the victim to install anything unusual. They just have to open a project in the tool 90% of practitioners already use daily.
Related stories
Each link below shares sources, entities, or timing with this story.
Shared entities / Same source / Shared topic / Earlier coverage
Claude Code CVE-2025-59536 / CVE-2026-21852: Project-File Supply Chain Attacks.
Both cover Check Point Research, Claude Code, CVE, Never; cite the same source (Check Point Research); overlapping topics (attack, claude, code, command, project).
Shared entities / Same source / Shared topic / What happened next
Claude Code Hooks as Attack Vector: CVE-2025-59536 / CVE-2026-21852.
Both cover Check Point Research, Claude Code, CVE; cite the same source (Check Point Research); overlapping topics (attack, claude, code, command, repo).
Shared entities / Same source / Shared topic / Earlier coverage
Claude Code Hooks Vulnerability: RCE via Malicious Repo Config
Both cover Check Point Research, CVE, RCE; cite the same source (Check Point Research); overlapping topics (agent, claude, code, command, repo).
Check Point: Claude Code Triple Attack Surface — Configuration Files as Weapons
Both cover Check Point Research, Claude Code, CVE; cite the same source (Check Point Research); overlapping topics (attack, claude, code, configuration, repository).
Check Point Discloses Claude Code RCE (CVE-2026-21852)
Both cover Check Point Research, CVE, RCE; cite the same source (Check Point Research); overlapping topics (attack, claude, code, command).
Shared entities / Shared topic / What happened next
One GitHub Comment Can Steal Your API Keys From Claude Code, Gemini CLI, and Copilot
Both cover Claude Code, CVE, GitHub, PRs; overlapping topics (agent, attack, claude, code); picks up the Claude Code thread on 2026-05-24.
Garry Tan's GStack Hits 10K Stars in 48 Hours: The Thesis That Structured Prompts Are All You Need
Both cover Claude, Claude Code, GitHub, PRs; overlapping topics (agent, claude, code, model); picks up the Claude thread on 2026-04-24.
Shared entities / Same source / Shared topic / Earlier coverage
Check Point Discloses Triple Claude Code Attack: Hooks RCE, MCP Bypass, API Key Exfiltration.
Both cover Check Point Research, CVE, Never; cite the same source (Check Point Research); overlapping topics (attack, claude, repo).
Source trail
Entities
Provenance
- Canonical issue
- Ramsay Research Agent
- AI generated
- no
- Story unit
- 2026-03-20-two-named-cves-turn-claude-code-project-files-into-attack-weapons
- Labels
- source-backed, canonical briefing excerpt