UNTRUSTED repositories turn Claude code into an attack vector reports that flaws in Anthropic’s Claude Code could allow remote code execution and theft of API keys when users open untrusted repositories. Check Point Research found multiple vulnerabilities that abuse features such as Hooks, MCP servers, and environment variables to run arbitrary shell commands and exfiltrate Anthropic API credentials simply by cloning and opening a malicious project.
According to Check Point Research, the critical vulnerabilities CVE-2025-59536 and CVE-2026-21852 enable remote code execution and API key theft through repository-level configuration files. Researchers warned that Claude Code’s project-level configuration files can act as an execution layer, allowing a single malicious repository to trigger abuse and pivot from a developer’s workstation into shared enterprise cloud environments without visible warning.
Anthropic addressed the issues by tightening trust prompts, blocking external tool execution, and restricting API calls until user approval, as the article notes, while highlighting that AI-powered coding tools demand reassessed security boundaries as configuration files can influence execution, networking and permissions. The piece is dated 25 February 2026.