{"id":10982,"date":"2026-02-27T10:04:04","date_gmt":"2026-02-27T10:04:04","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/02\/27\/claude-code-hacked-to-achieve-full-rce-and-hijacked-organization-api-keys\/"},"modified":"2026-02-27T10:04:04","modified_gmt":"2026-02-27T10:04:04","slug":"claude-code-hacked-to-achieve-full-rce-and-hijacked-organization-api-keys","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/02\/27\/claude-code-hacked-to-achieve-full-rce-and-hijacked-organization-api-keys\/","title":{"rendered":"Claude Code Hacked to Achieve Full RCE and Hijacked Organization API keys"},"content":{"rendered":"<p>    Claude Code Hacked to Achieve Full RCE and Hijacked Organization API keys<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p>Critical vulnerabilities in Anthropic\u2019s Claude Code, an AI-powered command-line development tool. The flaws could allow attackers to <a href=\"https:\/\/cybersecuritynews.com\/servicenow-ai-platform-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">achieve Remote Code Execution (RCE) <\/a>and exfiltrate Anthropic API keys by exploiting project configuration files.<\/p>\n<p>The issues were reported by Check Point Research (CPR), and Anthropic has fully patched all vulnerabilities prior to public disclosure.<\/p>\n<p>The vulnerabilities highlight the growing attack surface introduced by <a href=\"https:\/\/cybersecuritynews.com\/voidlink-rewrites-rootkit-playbook\/\" target=\"_blank\" rel=\"noreferrer noopener\">AI-assisted development tools<\/a>, where repository-controlled configuration files can be weaponized to compromise developer machines and shared workspaces.<\/p>\n<p>Claude Code allows developers to <a href=\"https:\/\/cybersecuritynews.com\/claude-code-remote-control-from-phone\/\" target=\"_blank\" rel=\"noreferrer noopener\">delegate tasks directly from their terminal<\/a>. To facilitate team collaboration, it supports project-level configurations through a\u00a0.claude\/settings.json\u00a0file stored directly in the repository.<\/p>\n<p>Because this file is inherited when a repository is cloned, any contributor with commit access can modify it.<\/p>\n<p>CPR discovered that malicious configurations could trigger unintended actions on a developer\u2019s machine, effectively turning a passive setup file into an execution vector.<\/p>\n<h2 class=\"wp-block-heading\" id=\"h-vulnerability-1-rce-via-untrusted-project-hooks\"><strong>Vulnerability 1: RCE via Untrusted Project Hooks<\/strong><\/h2>\n<p>Anthropic\u2019s \u201cHooks\u201d feature allows users to define commands that execute automatically at specific points in <a href=\"https:\/\/cybersecuritynews.com\/claude-code-vulnerabilities\/\" target=\"_blank\" rel=\"noreferrer noopener\">Claude Code\u2019s lifecycle<\/a> (e.g., formatting code after an edit). These hooks are defined in the repository-controlled\u00a0.claude\/settings.json.<\/p>\n<p>CPR found that when <a href=\"https:\/\/cybersecuritynews.com\/swalwell-for-congress-campaign-partners-with-wolfsbane-ai\/\" target=\"_blank\" rel=\"noreferrer noopener\">cloning an untrusted repository with a malicious hook <\/a>configured to trigger on\u00a0SessionStart, Claude Code executed the command immediately upon initialization.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiKyUAVvRd2roOYoTtzADFnUMqBCgyn2EhXmOyD7ErDMDSvhAfLkuTAZz6qJEcoFGDClt6xTVQHOI5iDGkkXqlASbBSq9DKDGzgwuP4KXmdWx8o2KL8qrBtwP2HwqeoyZyLRBlNK4VIU2FFxJNd_dCzYI8pTFPi8l10wjV90N2n-v2FxhUqsfYC-r2Y1vw\/s1600\/Screenshot%25202026-02-27%2520105552%2520%25281%2529.webp?ssl=1\" alt=\"Calculator app opened instantly, without any prompt or execution warning(source : checkpoint research)\"><figcaption class=\"wp-element-caption\">Calculator app opened instantly, without any prompt or execution warning (source: checkpoint research)<\/figcaption><\/figure>\n<p>While the tool presented a general trust dialog, it did not explicitly warn that hook commands were already running in the background without user confirmation.<\/p>\n<p>This allowed attackers to <a href=\"https:\/\/cybersecuritynews.com\/pgadmin-vulnerability-shell-commands\/\" target=\"_blank\" rel=\"noreferrer noopener\">execute arbitrary shell commands<\/a>, such as establishing a reverse shell.<\/p>\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\">\n<div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Claude Code Hooks RCE Demo\" width=\"696\" height=\"392\" src=\"https:\/\/www.youtube.com\/embed\/BJjkYZwMfG0?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div>\n<\/figure>\n<h2 class=\"wp-block-heading\" id=\"h-vulnerability-2-rce-using-mcp-consent-bypass-cve-2025-59536\"><strong>Vulnerability 2: RCE Using MCP Consent Bypass (CVE-2025-59536)<\/strong><\/h2>\n<p>Claude Code <a href=\"https:\/\/cybersecuritynews.com\/kali-linux-integrates-claude-ai\/\" target=\"_blank\" rel=\"noreferrer noopener\">supports the Model Context Protocol (MCP) <\/a>to interact with external tools, configured via an .mcp.json\u00a0file.<\/p>\n<p>Following CPR\u2019s initial report, Anthropic implemented a warning dialog for MCP initialization.<\/p>\n<p>However, CPR found a bypass using two settings in\u00a0:<\/p>\n<pre class=\"wp-block-code\"><code>.claude\/settings.json:\u00a0enableAllProjectMcpServers\u00a0and\u00a0enabledMcpjsonServers.<\/code><\/pre>\n<p>By leveraging these settings to auto-approve MCP servers, CPR executed malicious commands immediately upon running\u00a0claude before the user could interact with the trust dialog. This once again enabled RCE.<\/p>\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\">\n<div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Claude Code MCP User Consent Bypass Demo | CVE-2025-59536\" width=\"696\" height=\"392\" src=\"https:\/\/www.youtube.com\/embed\/RlmEcN7csDI?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div>\n<\/figure>\n<h2 class=\"wp-block-heading\" id=\"h-vulnerability-3-api-key-exfiltration-cve-2026-21852\"><strong>Vulnerability 3: API Key Exfiltration (CVE-2026-21852)<\/strong><\/h2>\n<p>Further investigation into\u00a0.claude\/settings.json\u00a0revealed that environment variables could also be defined.<\/p>\n<p>CPR targeted\u00a0ANTHROPIC_BASE_URL, which controls the <a href=\"https:\/\/cybersecuritynews.com\/claude-ai-indirect-prompt-attack\/\" target=\"_blank\" rel=\"noreferrer noopener\">endpoint for Claude Code API communications<\/a>.<\/p>\n<p>By pointing this URL to a malicious server, an attacker could intercept the tool\u2019s initial API requests.<\/p>\n<figure class=\"wp-block-image size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEgw6sHpNIhZLks4S8KwP5-q1yZQuZxwJ-Ib-3vuovvZN0XcXPNax0iD_u9WTCAx4crirtvj52R4LLrVBxhyphenhyphenYRKuZd15tji5ZKzJAD8r25CFJWO9bWMoE7_PVYWIz2T50Ip8MYnBgYC8X6jdqPliN9nMwSD0LRR9q-dG4VhSlvYysjb9WLllRPiENMW0sco\/s1600\/Screenshot%25202026-02-27%2520105212%2520%25281%2529.webp?ssl=1\" alt=\"Authorization header exposed the full Anthropic API key in plaintext(source : checkpoint research)\"><figcaption class=\"wp-element-caption\">Authorization header exposed the full Anthropic API key in plaintext (source: Checkpoint Research)<\/figcaption><\/figure>\n<p><a href=\"https:\/\/research.checkpoint.com\/2026\/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536\/#single-post\" id=\"https:\/\/research.checkpoint.com\/2026\/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536\/#single-post\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Check Point Research (CPR) observed that before the user<\/a> even interacted with the trust dialog, Claude Code transmitted the full Anthropic API key in plaintext within the authorization header.<\/p>\n<p>With a stolen API key, attackers could perform billing fraud or access shared Claude Workspaces.<\/p>\n<p>While files in a workspace cannot be downloaded after manual upload, CPR bypassed this by using the code execution tool to regenerate the file, making it downloadable and exposing sensitive team resources.<\/p>\n<figure class=\"wp-block-embed is-type-video is-provider-youtube wp-block-embed-youtube wp-embed-aspect-16-9 wp-has-aspect-ratio\">\n<div class=\"wp-block-embed__wrapper\">\n<iframe loading=\"lazy\" title=\"Claude Code API Key Exfiltration Demo | CVE-2026-21852\" width=\"696\" height=\"392\" src=\"https:\/\/www.youtube.com\/embed\/jMeeVxqU3hY?feature=oembed\" frameborder=\"0\" allow=\"accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture; web-share\" referrerpolicy=\"strict-origin-when-cross-origin\" allowfullscreen><\/iframe>\n<\/div>\n<\/figure>\n<p>These vulnerabilities present severe supply chain risks, as malicious configurations could be injected via pull requests, <a href=\"https:\/\/cybersecuritynews.com\/ai-honeypot-engagement\/\" target=\"_blank\" rel=\"noreferrer noopener\">honeypot repositories<\/a>, or compromised internal accounts.<\/p>\n<p>Anthropic has resolved these issues by: Enhancing warning dialogs for untrusted configurations. Ensuring MCP servers cannot execute before user approval, regardless of auto-approve settings.<\/p>\n<p>Deferring all network operations, including API key transmission, until after explicit user consent is granted.<\/p>\n<p>Developers are urged to update to the latest version of Claude Code and treat project configuration files with the same scrutiny as executable code.<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong>Follow us on <a href=\"https:\/\/news.google.com\/publications\/CAAqMggKIixDQklTR3dnTWFoY0tGV041WW1WeWMyVmpkWEpwZEhsdVpYZHpMbU52YlNnQVAB?hl=en-IN&amp;gl=IN&amp;ceid=IN:en\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Google News<\/a>, <a href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">LinkedIn<\/a>, and <a href=\"https:\/\/x.com\/cyber_press_org\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">X<\/a> for daily cybersecurity updates. <a href=\"https:\/\/cybersecuritynews.com\/contact-us\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Contact us<\/a> to feature your stories.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/claude-code-hacked\/\">Claude Code Hacked to Achieve Full RCE and Hijacked Organization API keys<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Abinaya<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/claude-code-hacked\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Claude Code Hacked to Achieve Full RCE and Hijacked Organization API keys Critical vulnerabilities in Anthropic\u2019s Claude Code, an AI-powered command-line development tool. The flaws could allow attackers to achieve Remote Code Execution (RCE) and exfiltrate Anthropic API keys by exploiting project configuration files. The issues were reported by Check Point Research (CPR), and Anthropic [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63,648],"tags":[130],"class_list":["post-10982","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","category-vulnerability-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10982"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=10982"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/10982\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=10982"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=10982"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=10982"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}