This post is also available in:
עברית (Hebrew)
AI-powered coding assistants are designed to streamline development, automating repetitive tasks and executing commands directly from the terminal. But new research shows that this convenience can also introduce a serious security gap — one that turns a simple project download into a potential breach.
Security researchers have identified critical vulnerabilities in Claude Code, a widely used command-line AI coding assistant, that allowed remote code execution and credential theft without meaningful user consent. According to Cyber News, a developer only needed to open a specially crafted repository for the attack chain to begin.
The issue centers on repository-level configuration files. These files are commonly used to define automated triggers, integrations, environment variables and other collaboration settings. Traditionally treated as passive metadata, they are now interpreted by AI development tools as operational instructions.
Researchers demonstrated that attackers could embed malicious shell commands inside these configuration files. When a developer launched Claude Code in a compromised project directory, the assistant executed those hidden instructions automatically. In one case, a flaw identified as CVE-2025-59536 (severity score 8.7/10) enabled code execution before the user had approved the startup trust dialog. Another vulnerability, CVE-2026-21852 (5.3/10), made it possible to redirect API requests to attacker-controlled servers, exposing API keys.
In testing, the exploit led to the extraction of API credentials and access to private files on the local workstation. The potential impact extends further: stolen API keys could allow attackers to access shared cloud environments, manipulate stored data, inject malicious content or generate unexpected operational costs.
The broader concern lies in how AI-driven development tools reinterpret configuration text. What was once inert project metadata can now influence execution logic, permissions and network communication. This effectively expands the software supply chain to include automation layers surrounding the source code itself.
For defense, government and critical infrastructure organizations increasingly relying on AI-assisted development, the implications are clear. Opening an untrusted repository may now carry risks comparable to executing unverified code. The vulnerabilities have been patched through automatic updates, and users are advised to ensure they are running the latest version.
