Claude Code Hacked to Achieve Full RCE and Hijacked Organization API keys

Critical flaws in Anthropic's Claude Code, an AI-powered command-line development tool, were exploited by RCE to take control of an organization's API keys This article explores computer vulnerability rce. . By taking advantage of project configuration files, the vulnerabilities may enable attackers to obtain Remote Code Execution (RCE) and exfiltrate Anthropic API keys.

Check Point Research (CPR) brought attention to the problems, and Anthropic fixed every vulnerability before making them public. The flaws draw attention to the expanding attack surface created by AI-assisted development tools, where shared workspaces and developer computers can be compromised by weaponizing repository-controlled configuration files. Developers can assign tasks straight from their terminal with Claude Code. Through a.claude/settings.json file kept directly in the repository, it supports project-level configurations to promote teamwork.

Any contributor with commit access can edit this file since it is inherited when a repository is cloned. CPR found that malicious configurations had the ability to turn a passive setup file into an execution vector by causing unforeseen actions on a developer's computer. Vulnerability 1: RCE through Untrusted Project Hooks Anthropic's "Hooks" feature lets users create commands that run automatically at particular stages of Claude Code's lifecycle (like formatting code after an edit).

The repository-controlled.claude/settings contains the definitions for these hooks.json. CPR discovered that Claude Code executed the command right away upon initialization when cloning an untrusted repository with a malicious hook set to trigger on SessionStart.

Without any prompt or execution warning, the calculator app launched immediately (source: checkpoint research). The tool did not specifically alert users that hook commands were already running in the background without their consent, even though it displayed a general trust dialog. This made it possible for attackers to run arbitrary shell commands, like creating a reverse shell.

Second Vulnerability: RCE MCP Consent Bypass Utilization (CVE-2025-59536) With the help of an.mcp.json file, Claude Code can communicate with external tools using the Model Context Protocol (MCP). Anthropic introduced a warning dialog for MCP initialization after CPR's first report. Nevertheless, CPR used two settings in :.claude/settings to find a workaround.json: enabledMcpjsonServers and enableAllProjectMcpServers.

Before the user could engage with the trust dialog, CPR immediately executed malicious commands upon running Claude by using these settings to automatically approve MCP servers. RCE was once more made possible by this. Vulnerability 3: API Key Exfiltration (CVE-2026-21852) Additional research on.claude/settings.JSON showed that it was possible to define environment variables as well.

ANTHROPIC_BASE_URL, which manages the endpoint for Claude Code API communications, was the target of CPR. An attacker could intercept the tool's initial API requests by directing this URL to a malicious server. Checkpoint Research (CPR) noted that Claude Code transmitted the entire Anthropic API key in plaintext within the authorization header before the user had even engaged with the trust dialog.

Attackers could access shared Claude Workspaces or commit billing fraud using a stolen API key. Although files in a workspace cannot be downloaded after being manually uploaded, CPR got around this restriction by generating the file using the code execution tool, which made it accessible and exposed confidential team information. Because malicious configurations could be introduced through pull requests, honeypot repositories, or compromised internal accounts, these vulnerabilities pose serious supply chain risks.

Anthropic has addressed these problems by: improving the untrusted configuration warning dialogs. ensuring that, regardless of auto-approve settings, MCP servers cannot run without user consent. delaying all network functions, including the transmission of API keys, until the user has given their express consent.

For daily cybersecurity updates, developers are advised to update to the most recent version of Claude Code and examine project configuration files with the same care as executable code. To have your stories featured, get in touch with us.