This article highlights the critical need to balance the advantages of AI-assisted development with the imperative to ensure secure software supply chains.
Check Point Research has discovered significant vulnerabilities in Anthropic’s Claude Code platform that could enable attackers to execute remote code and steal API keys through malicious project configurations. These vulnerabilities exploited elements such as Hooks, Model Context Protocol (MCP) servers, and environment variables, allowing arbitrary shell command execution and the exfiltration of Anthropic API keys when developers accessed untrusted repositories. After identifying these flaws, Check Point collaborated with Anthropic to ensure all vulnerabilities were addressed prior to public announcement.
Claude Code is an AI-driven development tool that enables developers to perform coding tasks directly from the terminal using natural language. It facilitates various functions, including file editing, Git repository management, automated testing, integration with builds, and shell command execution. The project’s configuration files, especially .claude/settings.json, posed a potential risk as any contributor with commit access could define Hooks or alter MCP settings that would execute automatically on other collaborators’ systems.
The first identified vulnerability involved Hooks, which are intended to trigger specific commands during various stages of a project. Malicious users could manipulate these Hooks to launch shell commands without user consent, resulting in remote code execution. The second vulnerability exploited MCP configuration files, allowing commands to bypass necessary user approval, thus permitting arbitrary command execution. The third vulnerability pertained to the environment variable ANTHROPIC_BASE_URL, which could be altered to extract API keys before the user engaged with the project, granting attackers unfettered access to Claude Code Workspaces, including shared files from other developers.
These vulnerabilities posed substantial risks to the software supply chain, as attackers could introduce harmful configurations through pull requests, public repositories, or compromised internal codebases. The consequences could include unauthorized access to sensitive information, the deletion or corruption of workspace files, and unauthorized API utilization that could lead to financial losses or operational disruptions.
In response to these challenges, Anthropic has improved user consent mechanisms, ensuring that MCP servers cannot execute commands without explicit approval while also restricting network activities, including API calls, until users have acknowledged the trust dialog. These corrective actions effectively address the vulnerabilities identified by Check Point Research.
The report underscores the elevated security risks associated with AI-enhanced development tools. Configuration files, once merely passive metadata, are now influencing active execution processes, creating new vulnerabilities. Developers are encouraged to regularly update their tools, closely examine project configuration files, carefully assess repository changes, and be vigilant about warnings regarding potentially unsafe files to mitigate these emerging threats.
This discussion highlights the delicate balance between harnessing the productivity benefits of AI in development and the critical requirement to maintain secure software supply chains. By remaining vigilant and proactive, developers can leverage these advanced tools while guarding against potential risks.
