Claude Code Enables Remote Code Execution via New Collaboration Tools

The Register’s investigation shows that three distinct flaws in Claude Code’s collaboration suite could let a malicious actor execute arbitrary commands on any developer who clones a compromised repository, effectively turning a benign configuration file into a supply‑chain weapon. Check Point researchers Aviv Donenfeld and Oded Vanunu demonstrated that the tool’s “Hooks” feature—intended to run user‑defined shell commands at preset lifecycle points—can be injected via the .claude/settings.json file, which any contributor with commit rights can edit. Because Claude applies these settings automatically when a project is opened, the researchers were able to trigger a calculator launch on a victim’s machine without any explicit consent, proving the concept of remote code execution (RCE). The proof‑of‑concept video released by Check Point underscores that the same mechanism could be repurposed to download and run a malicious payload, such as a reverse shell, raising the stakes from a harmless demo to a serious breach vector (The Register).

A second RCE pathway stems from Claude’s Model Context Protocol (MCP) integration, which allows external tools to be configured through a .mcp.json file stored in the same repository. The Check Point team found that, prior to Anthropic’s remediation, an attacker could bypass the user‑approval prompt that normally guards MCP‑driven commands, enabling the execution of arbitrary shell code when the repository is opened. After the vulnerability was disclosed on July 21, 2025, Anthropic issued a fix that now forces explicit consent before any .mcp.json‑defined action runs, and the company published a GitHub Security Advisory (GHSA‑ph6w‑f82w‑28w6) on August 29, 2025 (The Register).

The third flaw, a “MCP consent bypass” bug, also allowed code execution but differed in that it leveraged a misconfiguration in the way Claude validates MCP server settings. Check Point reported that the bug let an attacker embed a malicious server address in .mcp.json, causing the client to connect to a hostile endpoint and execute commands supplied by the attacker. Anthropic’s patch, rolled out alongside the other two fixes, now validates MCP server signatures and enforces stricter origin checks, mitigating the risk of a rogue server hijacking the development workflow (The Register).

Anthropic has not commented directly to The Register, but the company did publish CVE identifiers for two of the three vulnerabilities, signalling formal acknowledgment of the security impact. The rapid issuance of patches—within roughly a month of the initial disclosure—demonstrates Anthropic’s operational responsiveness, yet the episode highlights a broader concern: as AI‑driven coding assistants become embedded in software supply chains, configuration files that were once considered inert now constitute a high‑value attack surface. Check Point’s researchers warn that “a single malicious commit could compromise any developer working with the affected repository,” a scenario that could cascade across enterprises that have adopted Claude Code for collaborative development (The Register).

Industry observers note that the incident arrives at a moment when AI‑assisted development tools are being aggressively marketed as productivity boosters. VentureBeat has reported Anthropic’s push to expand Claude Code into broader enterprise contexts, emphasizing features such as parallel job execution on managed infrastructure (VentureBeat). The Register’s findings suggest that the very mechanisms designed to streamline teamwork—automatic configuration propagation and hook‑based automation—can be weaponized if not rigorously sandboxed. For organizations that have already integrated Claude Code into their CI/CD pipelines, the immediate priority is to audit repository‑level .claude and .mcp configuration files, enforce least‑privilege commit policies, and verify that the latest patches are applied. Failure to do so could expose development teams to the kind of supply‑chain compromise that has historically plagued software ecosystems, now amplified by AI‑enabled tooling.