惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

博客园 - 聂微东
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
L
LangChain Blog
钛媒体:引领未来商业与生活新知
钛媒体:引领未来商业与生活新知
博客园 - 司徒正美
WordPress大学
WordPress大学
T
The Blog of Author Tim Ferriss
Blog — PlanetScale
Blog — PlanetScale
J
Java Code Geeks
Y
Y Combinator Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
GbyAI
GbyAI
Vercel News
Vercel News
大猫的无限游戏
大猫的无限游戏
T
Tailwind CSS Blog
Jina AI
Jina AI
B
Blog
Recorded Future
Recorded Future
MyScale Blog
MyScale Blog
I
InfoQ
aimingoo的专栏
aimingoo的专栏
博客园_首页
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
The Cloudflare Blog
雷峰网
雷峰网
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
腾讯CDC
爱范儿
爱范儿
Last Week in AI
Last Week in AI
博客园 - 三生石上(FineUI控件)
博客园 - Franky
Schneier on Security
Schneier on Security
V
V2EX
TaoSecurity Blog
TaoSecurity Blog
H
Hacker News: Front Page
Cloudbric
Cloudbric
D
DataBreaches.Net
B
Blog RSS Feed
P
Palo Alto Networks Blog
云风的 BLOG
云风的 BLOG
NISL@THU
NISL@THU
I
Intezer
Recent Commits to openclaw:main
Recent Commits to openclaw:main
Cyberwarzone
Cyberwarzone
F
Fortinet All Blogs
D
Darknet – Hacking Tools, Hacker News & Cyber Security
C
Cybersecurity and Infrastructure Security Agency CISA
C
Cisco Blogs
K
Kaspersky official blog
Forbes - Security
Forbes - Security

The Register - Security: Research

www.theregister.com Self-destructing Mistic backdoor linked to access broker selling corporate footholds to ransomware gangs PRC-linked spies hid inside medical and military networks for more than a year, snooping through Gmail and stealing data Nobody needs Mythos or 0-days to build a chaos-causing computer worm – free open source models work just fine ChatGPT blindly trusts browser content, turning the page into a payload Russia-linked threat group put ChatGPT to work from lure to payload Kids can bypass some age checks with a drawn-on mustache What type of 'C2 on a sleep cycle' do they leave behind? Novel Chinese spy group found in critical networks in Poland, Asia ORNL builds more sensitive GPS interference detector Researchers find sabotage malware that may predate Stuxnet Vibe coding upstart Lovable denies data leak, cites 'intentional behavior,' then throws HackerOne under the bus Anthropic, Google, Microsoft paid AI bug bounties – quietly Security reserchers tricked Apple Intelligence into cursing Don't open that WhatsApp message, Microsoft warns Security boffins harvest bumper crop of API keys from web Lightning-fast exploits mean patch fast, says Cisco Talos AI agents are 'gullible' and easy to turn into your minions Smooth criminals talking their way into cloud environments, Google says Snoops plant info-stealing malware on iPhones, Google warns Cybercrime up 245% since the start of the Iran war Rogue AI agents can work together to hack systems Fake applicants are sending security-killing malware AI agent hacked McKinsey chatbot for read-write access Kaspersky: No signs Coruna iPhone exploit kit made by US Perplexity Comet browser hole was exploitable via cal invite DEF CON hackers 'fed up with government,' Jake Braun says DEF CON hackers 'fed up with government,' Jake Braun says Ransomware payments cratered in 2025 – attacks did not Ransomware payments cratered in 2025 – attacks did not AI takes a swing at online anonymity Fake 'interview' repos lure Next.js devs into running secret-stealing malware Threat intelligence supply chain is full of weak links AI agents abound, unbound by rules or safety disclosures RAT disguised as an RMM costs crims $300 a month Android malware taps Gemini to navigate infected devices Posting AI caricatures on social media is bad for security Payroll pirates conned the help desk, stole employee’s pay Microsoft boffins show LLM safety can be trained away For the price of Netflix, crooks can rent AI crime ops For the price of Netflix, crooks can rent AI crime ops Fast Pair, loose security: Bluetooth accessories open to silent hijack Fast Pair flaw exposes Bluetooth devices to hijacking A simple CodeBuild flaw put every AWS environment at risk A simple CodeBuild flaw put every AWS environment at risk DeadLock ransomware uses smart contracts to evade defenders Python libraries in AI/ML models can be poisoned w metadata OpenAI patches déjà vu prompt injection vuln in ChatGPT Fake Windows BSODs check in at Europe's hotels to con staff into running malware Hotel staff tricked into installing malware by bogus BSODs Your car’s web browser may be on the road to cyber ruin China's Ink Dragon hides out in European government networks Browser 'privacy' extensions have eye on your AI, log all your chats NCSC finds cyber deception tools work, if deployed right 10K Docker images spray live cloud creds across the internet 'Botnets in physical form' are top humanoid robot risk 'Botnets in physical form' are top humanoid robot risk Apache warns of 10.0-rated flaw in Tika metadata toolkit Novel clickjacking attack relies on CSS and SVG 'Exploitation is imminent' of max-severity React bug Swiss government bans SaaS and cloud for sensitive info Scattered Lapsus$ Hunters stress testing Zendesk weak spots HashJack attack shows AI browsers can be fooled with '#' New ClickFix attacks use fake Windows Updates to swipe creds Years-old bugs in open source took out major clouds at risk LLM-generated malware improving, but not operational (yet) 3.5B WhatsApp users' info scooped through enumeration flaw 3.5B WhatsApp users' info scooped through enumeration flaw 50k more ASUS routers pwned by evolving Beijing-linked op Overconfidence is the new zero-day as teams stumble through cyber simulations LLM side-channel attack could allow snoops to guess topic Landfall spyware used in 0-day attacks on Samsung phones MIT Sloan shelves paper about AI-driven ransomware Security hole slams Chromium browsers - no fix yet OpenAI Atlas Browser tripped up by malformed URLs Devs of VS Code extensions are leaking secrets en masse Chatbots that butter you up make you worse at conflict Tile trackers leak unencrypted Bluetooth data, say boffins Beijing's RedNovember hacked critical US, global orgs Lazarus RAT code resurfaces in North Korean IT-worker scams Suspected Chinese spies broke into 'numerous' enterprises Deepfaked calls hit 44% of businesses in last year: Gartner Kaspersky: RevengeHotels returns with AI-coded malware Ruh-roh. DDR5 memory vulnerable to new Rowhammer attack HybridPetya ransomware dodges UEFI Secure Boot
Claude's collaboration tools allowed remote code execution
Jessica Lyons Jessica Lyons · 2026-02-26 · via The Register - Security: Research

Research

Claude collaboration tools left the door wide open to remote code execution

Anthropic fixed the flaws – but the AI-enabled attack surfaces remain

Security vulnerabilities in Claude Code could have allowed attackers to remotely execute code on users' machines and steal API keys by injecting malicious configurations into repositories, and then waiting for a developer to clone and open an untrustworthy project.

Check Point Software researchers found and reported all three flaws to Anthropic, which issued fixes for all and CVEs for two. Still, the bug hunters say, the issues illustrate a worrisome supply chain threat as enterprises incorporate AI coding tools like Claude into their development processes and essentially turn configuration files into a new attack surface.

"The ability to execute arbitrary commands through repository-controlled configuration files created severe supply chain risks, where a single malicious commit could compromise any developer working with the affected repository," Check Point researchers Aviv Donenfeld and Oded Vanunu said in a Wednesday report.

Anthropic, the AI company that developed Claude Code, did not respond to The Register's requests for comment.

The three security vulnerabilities stem from Claude's design, which is intended to make it easier for development teams to collaborate. The AI coding tool enables this by embedding project-level configuration files (.claude/settings.json file) directly within repositories, so that when a developer clones a project, they automatically apply the same settings used by their teammates.

Any contributor with commit access can modify these files. The researchers found that cloning and opening a malicious repository sometimes allowed them to bypass built-in safeguards and trigger hidden commands and execute malicious code.

Abusing Hooks for RCE

The first of the three flaws involved abusing Claude's Hooks feature to achieve remote code execution. Hooks are user-defined shell commands that execute at various points in the tool's lifecycle, ensuring that specific, predefined actions run when predetermined conditions are met, instead of allowing the model to choose.

Because Hooks are defined in .claude/settings.json, the repository-controlled configuration file, anyone with commit access can define hooks that will execute shell commands on every other collaborator's machine when they work on the project. Plus, Claude doesn't require any explicit approval before executing these commands – so the researchers abused this mechanism to open a calculator app when someone opened the project.

While a bash script to open a calculator is hardly malicious, it's still remote code execution. And as the team demonstrated in a video: "An attacker could configure the hook to execute any shell command – such as downloading and running a malicious payload" like a reverse shell.

Check Point reported the malicious hooks flaw to Anthropic on July 21, 2025, and the AI maker implemented the final fix about a month later, publishing this GitHub Security Advisory GHSA-ph6w-f82w-28w6 on August 29.

MCP consent bypass bug

The second vulnerability also allows RCE – this time by abusing MCP consent bypass.

Claude integrates with external tools using Model Context Protocol (MCP), and MCP servers can also be configured in the same repository via .mcp.json configuration file. Thanks to the earlier disclosure and Anthropic's fix, the researchers ran into warning prompts explicitly requiring user approval before executing commands in .mcp.json.

So they found a workaround: two repository-controlled configuration settings that could override safeguards and automatically approve all MCP servers.

"Starting Claude Code with this configuration revealed a severe vulnerability: our command executed immediately upon running Claude – before the user could even read the trust dialog," the Check Point duo wrote.

Again, they stuck with the calculator app, but also produced a video demonstrating how this vulnerability can be exploited to remotely execute a reverse shell and completely compromise a victim's machine.

The researchers reported this second vulnerability to Anthropic on September 3, 2025, Anthropic fixed the bypass vulnerability later that month, and published CVE-2025-59536 on October 3.

API key theft

Attackers can exploit the third flaw for API key theft. This one has to do with how Claude used an API key to communicate with Anthropic's services. One variable, ANTHROPIC_BASE_URL, controlled the endpoint for all Claude API communications, and while it's supposed to point to Anthropic's servers, it can be overridden in the project's configuration files to instead point to attacker-controlled servers.

The researchers configured ANTHROPIC_BASE_URL to route through their local proxy, and watched all Claude Code's API traffic in real time. Every one of Claude's calls to Anthropic servers "included the authorization header – our full Anthropic API key, completely exposed in plaintext," they wrote.

An attacker could abuse this trick to redirect traffic and steal a developer's active API key. It's important because the API includes a feature called Workspaces to help developers manage multiple Claude deployments by allowing multiple API keys to share access to the same cloud-based project files. Files are connected to the workspace – not the single key – and any API key belonging to the workspace also has visibility into any of the workspace's stored files.

This gave the researchers the ability to upload files to the shared workspace – but did not allow downloads. According to Claude's documentation, users can only download files created by skills or the code execution tool.

"Since files generated by Claude's code execution tool are marked as downloadable, we explored whether the attacker could simply ask Claude to regenerate an existing file using the stolen API key," Check Point’s Donenfeld and Vanunu wrote. "If successful, this would convert a non-downloadable file into a workspace artifact that is eligible for download."

Cloning and then downloading the file worked, and thus confirmed that a miscreant using a stolen API key could gain complete read and write access to all workspace files: deleting or changing sensitive files or even uploading malicious files to poison the workspace or exceed the 100 GB storage space quota.

Check Point reported the API key extraction bug to Anthropic on October 28, 2025, and the vendor immediately issued a fix. Later, on January 21, Anthropic published CVE-2026-21852.

As the security team noted: "The integration of AI into development workflows brings tremendous productivity benefits, but also introduces new attack surfaces that weren't present in traditional tools." ®