Check Point Research’s recent identification of critical vulnerabilities in Anthropic’s Claude Code is a cause for concern, particularly for African organisations.
This is the word from Hendrik de Bruin, head of security consulting: SADC at Check Point Software, who says the Claude Code vulnerabilities that Check Point uncovered enable remote code execution and API credential theft through malicious repository-based configuration files.
“A recent study by PwC found that more than 64% of Africa’s workforce has used some form of GenAI to increase productivity,” says de Bruin. “And, while this is generally undertaken with best intentions, what employees don’t get is the risk these Shadow IT or Shadow AI technologies introduce to organisations.
“The rapid rise of Agents such as OpenClaw, Claude, and others has obscured the reality that these agents typically inherit the full privileges of the user who installs them, quietly expanding the organisation’s attack surface with very little visibility or control.”
Check Point Research findings show that even something as simple as opening a project can become a silent entry point for code execution, privilege misuse or credential theft. This illustrates how AI assistants, once peripheral, are rapidly becoming critical components of high-risk infrastructure.
The critical vulnerabilities Check Point found in Claude Code include:
- CVE-2025-59536 and CVE-2026-21852, in Anthropic’s Claude Code, enabled remote code execution and API key theft through malicious repository-level configuration files, triggered simply by cloning and opening an untrusted project.
- Built-in mechanisms – including Hooks, MCP integrations, and environment variables – could be abused to bypass trust controls, execute hidden shell commands, and redirect authenticated API traffic before user consent.
- Stolen Anthropic API keys posed enterprise-wide risk, particularly in shared workspaces where a single compromised key could expose, modify, or delete shared files and resources and generate unauthorised costs.
The findings highlight a broader shift in the AI supply chain threat model: repository configuration files now function as part of the execution layer, requiring updated security controls to address AI-driven automation risks.
“As organisations rapidly adopt agentic AI development tools into enterprise workflows, the trust boundaries between configuration and execution are increasingly blurred,” de Bruin says.
By abusing built-in mechanisms such as Hooks, Model Context Protocol (MCP) integrations, and environment variables, attackers are now able to execute arbitrary shell commands and exfiltrate API keys when developers clone and open untrusted projects – without any additional action beyond launching the tool.
In effect, configuration files intended to streamline collaboration became active execution paths, introducing a new attack vector within the AI-powered development layer now embedded in the enterprise supply chain, raising a broader question: has the enterprise threat model evolved to match this new reality?
How a single repository file became an attack vector
Claude Code was designed to streamline collaboration by embedding project-level configuration files directly within repositories, automatically applying them when a developer opens Claude Code inside the project directory.
Check Point Research found that these files, typically perceived as harmless operational metadata, could in fact function as an active execution layer.
In certain scenarios, simply cloning and opening a malicious repository was enough to:
- Trigger hidden commands on the developer’s endpoint
- Bypass built-in consent and trust safeguards
- Expose active Anthropic API keys and turn them into an access vector
- Extend the impact from an individual workstation to shared enterprise cloud workspaces
- All without any visible indication that a compromise had already begun. What was intended to optimize collaboration effectively became a silent attack vector within the AI-powered development workflow
How developers could be affected
The risks fell into three categories.
- Silent Command Execution via Claude Hooks – Claude Code includes automation capabilities that allow predefined actions to run when a session begins. Check Point Research demonstrated that this mechanism could be abused to execute arbitrary shell commands automatically upon tool initialisation. In practice, this means that simply opening a malicious repository could trigger hidden execution on a developer’s machine – without any additional interaction beyond launching the project.
- MCP User Consent Bypass – Claude Code integrates with external tools via the Model Context Protocol (MCP), enabling additional services to be initialised when a project is opened. Although warning prompts were designed to require explicit user approval, researchers found that repository-controlled configuration settings could override these safeguards. As a result, execution could occur before the user granted consent, without meaningful visibility into what was being initialised, or despite built-in trust prompts intended to prevent such behaviour. When code runs before trust is established, the control model is inverted – shifting authority from the user to repository-defined configuration and expanding the AI-driven attack surface. This issue was assigned CVE-2025-59536.
- API Key Theft Before Trust Confirmation – Claude Code communicates with Anthropic’s services using an API key, transmitted with each authenticated request. By manipulating a repository-controlled configuration setting, researchers demonstrated that API traffic , including the full authorisation header, could be redirected to an attacker-controlled server before the user confirmed trust in the project directory. This meant that simply opening a malicious repository could exfiltrate a developer’s active API key, redirect authenticated API traffic to external infrastructure, or capture credentials before any trust decision was made in collaborative AI environments, a single compromised key can become a gateway to broader enterprise exposure. This issue was assigned CVE-2026-21852.
Why the API Key Exposure Matters
Anthropic’s API includes a feature called Workspaces, which allows multiple API keys to share access to project files stored in the cloud.
Files are associated with the workspace itself, not a single key. With a stolen key, an attacker could potentially:
- Access shared project files
- Modify or delete cloud-stored data
- Upload malicious content
- Generate unexpected API costs
In collaborative AI ecosystems, a single exposed key can scale from individual compromise to team-wide impact.
A New Supply Chain Risk in AI Tools
According to Check Point, these vulnerabilities reflect a broader structural shift in how software supply chains operate. Modern development platforms increasingly rely on repository-based configuration files to automate workflows and streamline collaboration.
Traditionally, these files were treated as passive metadata – not as execution logic.
However, as AI-powered tools gain the ability to execute commands, initialise external integrations, and initiate network communication autonomously, configuration files effectively become part of the execution layer.
What was once considered operational context now directly influences system behaviour.
This fundamentally alters the threat model. The risk is no longer limited to running untrusted code – it now extends to opening untrusted projects. In AI-driven development environments, the supply chain begins not only with source code, but with the automation layers surrounding it.
Remediation and Disclosure
Check Point Research worked closely with Anthropic throughout the disclosure process.
Anthropic implemented fixes that:
- Strengthened user trust prompts
- Prevented external tool execution before explicit approval
- Blocked API communications until after trust confirmation
All reported issues were resolved before public disclosure.