Overview
- Check Point Research publicly detailed how Hooks, MCP settings, and environment variables in Claude Code let attackers run shell commands or siphon Anthropic API keys when developers opened untrusted repositories.
- Anthropic patched the issues and issued advisories, including CVE-2025-59536 for an MCP consent-bypass RCE and CVE-2026-21852 for API key disclosure, with fixes landing in versions 1.0.111 and 2.0.65 respectively.
- The researchers showed that overriding ANTHROPIC_BASE_URL could redirect API traffic to attacker endpoints before any trust prompt appeared, exposing plaintext API keys during initial project load.
- Stolen keys could grant read and write access within shared Workspaces, enabling file uploads or deletions, data poisoning, and potential cost or storage exhaustion beyond a single developer’s machine.
- Anthropic tightened trust prompts, blocked external tool execution, and restricted API calls until user approval, and vendors and developers are being urged to update affected releases and treat repo-level settings as executable risk.