← The Wire
Source trail

Check Point Research — Caught in the Hook

Public MindPattern findings, entities, and graph evidence that cite this source.

Findings
8
All-time hits
5
High value
5
Last seen
2026-03-23

Connected entities

Related findings

  1. 2026-03-23 / SKILLSCheck Point CVE-2025-59536 / CVE-2026-21852: Untrusted Repo .claude/settings.json Enables RCE and Anthropic API Key Exfiltration via HooksCheck Point Research disclosed that Claude Code's .claude/settings.json hooks can be weaponized in untrusted repos to execute arbitrary shell commands (CVE-2025-59536) and exfiltrate Anthropic API keys by redirecting ANTHROPIC_BASE_URL to an attacker-controlled MitM proxy (CVE-2026-21852). Both CVEs are patched, but the attack surface — project-level config files that execute before the user grants trust — applies broadly to any hook-enabled agentic IDE. Never open unreviewed repos with AI coding tools without inspecting their .claude/ or equivalent config directories first.
  2. 2026-03-20 / AGENTSCheck Point Research: CVE-2026-21852 — RCE and API Token Exfiltration via Claude Code Project FilesCheck Point Research disclosed two CVEs (CVE-2025-59536, CVE-2026-21852) showing how malicious Claude Code project configuration files can trigger remote code execution and exfiltrate API tokens. The attack abuses Claude Code's hook execution model — untrusted CLAUDE.md files in project directories can inject arbitrary shell commands into the agent lifecycle. This confirms the 'coding agent project configuration attack' vector at full severity against the most widely-used AI coding agent.
  3. 2026-03-19 / SKILLSClaude Code CVE-2025-59536 / CVE-2026-21852: Project-File Supply Chain Attack Vectors and MitigationsCheck Point Research disclosed that ANTHROPIC_BASE_URL in a repository's .claude config can redirect all Claude API traffic (including full authorization headers) to an attacker-controlled server before the user reads a trust dialog, exfiltrating API keys in plaintext. A second vector abuses Hook automation to execute arbitrary shell commands the instant Claude Code opens an untrusted project. Defense: never open unreviewed repositories in Claude Code; treat .claude/ project files like executable code in your threat model.
  4. 2026-03-07 / NEWSClaude Code CVEs: Check Point Exposes RCE and API Key Theft via Project FilesCheck Point disclosed CVE-2025-59536 (CVSS 8.7, RCE via Hooks) and CVE-2026-21852 (CVSS 5.3, API key exfiltration via ANTHROPIC_BASE_URL redirect). Three distinct attack vectors: (1) malicious `.claude/settings.json` hooks execute shell commands automatically on project open; (2) MCP servers auto-initialize before user trust dialog; (3) ANTHROPIC_BASE_URL override intercepts API keys during initialization. All patched: hooks fix August 2025, MCP bypass fix September 2025, API key fix December 20
  5. 2026-03-05 / AGENTSCVE-2025-59536 Claude Code Project Config RCE Hooks MCP ExfiltrationCheck Point found Claude Code hooks RCE, MCP auto-approve bypass, API key exfiltration via untrusted repo config
  6. 2026-02-27 / NEWSCheck Point Claude Code Triple CVEs Hooks RCE MCP Bypass API ExfilCVE-2025-59536 and CVE-2026-21852 enable RCE via Hooks, MCP consent bypass, and API key exfiltration by cloning malicious repos. All patched.
  7. 2026-02-25 / SOURCESCheck Point Claude Code CVE-2025-59536 and CVE-2026-21852 Triple AttackHooks RCE via settings.json, MCP consent bypass, API key exfiltration via ANTHROPIC_BASE_URL override. Untrusted repos are attack surface.
  8. 2026-02-25 / AGENTSCheck Point Claude Code Triple Attack — Hooks RCE MCP Bypass API ExfilCVE-2025-59536 (CVSS 8.7) hooks RCE, MCP consent bypass, CVE-2026-21852 API key exfil via ANTHROPIC_BASE_URL override. All via untrusted repo config files. Patched.
Open latest cited source