Developers who use Anthropic's Claude Code to write software with AI assistance were sitting on a serious security blind spot: cloning the wrong Git repository could have handed an attacker complete control of their machine — no exploit kit required, just a JSON file.
Check Point Research disclosed three critical vulnerabilities in Claude Code this week (CVE-2025-59536 and CVE-2026-21852), all stemming from how the tool handles project-level configuration files stored in repositories. Anthropic has patched all three issues following a coordinated disclosure that ran from July 2025 through January 2026.
Claude Code lets teams share a .claude/settings.json file inside a repository — a convenient way to sync tool behavior across developers. What Check Point found is that this file also controls Hooks, a feature that runs shell commands automatically at defined lifecycle points, including the moment Claude Code starts up.
By embedding a malicious hook under the SessionStart event, an attacker could trigger arbitrary command execution the instant a developer opened their terminal in the project directory. The existing trust dialog — which warned that files might execute "with your permission" — appeared after the hook had already fired. In a proof-of-concept, researchers popped a reverse shell on the victim machine before the user could read a single word of the warning.
Three Bugs, One Attack Surface
The second vulnerability exploited Claude Code's MCP (Model Context Protocol) integration, which allows the tool to connect with external services. A separate setting, enableAllProjectMcpServers, could be added to the same repository config to auto-approve all MCP servers — bypassing the newer, more explicit consent dialog Anthropic had already added in response to the first report. Commands executed before the user could interact with any prompt.
The third flaw was arguably the most far-reaching. Claude Code respects an environment variable called ANTHROPIC_BASE_URL that routes all API traffic, and that variable can also be set in the repository config. Researchers redirected requests through a local proxy and watched the full Anthropic API key arrive in plaintext in the authorization header, transmitted before the trust dialog even appeared.
A stolen API key doesn't just mean billing fraud. Through Anthropic's Workspaces feature, it can grant read and write access to shared project files belonging to an entire development team.
This isn't purely an Anthropic problem — it reflects a wider industry pattern in which configuration files have quietly crossed the line from passive metadata to execution triggers.
Developers tend to scrutinize .py files far more carefully than .json files during code review, and attackers know it. Malicious pull requests, honeypot repositories, and compromised internal codebases all become viable delivery channels.
All three vulnerabilities are patched in the current version of Claude Code. Users should update immediately. Going forward: treat .claude/, .vscode/, and similar tool config folders with the same skepticism you'd apply to a shell script from an unknown author — because increasingly, that's exactly what they are.