What caused the Claude Code source code leak?

The leak occurred on March 31, 2026, when a debugging artifact (a source map file) was mistakenly included in an npm package, allowing the reconstruction of over 512,000 lines of TypeScript source code.

How does the VULN-03 credential exfiltration work?

VULN-03 exploits the authentication helper subsystem, which executes shell commands from settings without validation. In non-interactive mode, trust dialogs are skipped, allowing attackers to exfiltrate AWS, GCP, and Anthropic keys via malicious pull requests.

Why is the editor invocation subsystem vulnerable in VULN-02?

The subsystem uses double quotes to wrap file paths in shell commands, but POSIX shell rules still evaluate command substitutions like $() or backticks inside those quotes, allowing arbitrary command execution via crafted filenames.

Are SDK users affected by these vulnerabilities?

Pure SDK consumers using only API client methods are not directly affected. However, any system that spawns or wraps the CLI process inherits the risks associated with the CLI execution paths.

What is the recommended remediation for Claude Code users?

Users should stop using authentication helpers, set credentials directly via environment variables, and audit CI/CD pipelines to prevent the CLI from running against untrusted workspace settings.

Advisory

Anthropic Claude Code Leak Reveals Critical Command Injection Vulnerabilities

published: April 16, 2026

Take action: If you're using Claude Code, update immediately to the latest version and stop using authentication helpers. Instead, set the ANTHROPIC_API_KEY environment variable directly. Also, review any .claude/settings.json changes in pull requests as carefully as code changes, and never run the CLI against untrusted pull requests in CI/CD pipelines.

Learn More

Analysis of the leakd Anthropic's Claude Code AI agent revealed three critical command injection vulnerabilities affecting the CLI, agent, and SDK. These flaws allow attackers to run arbitrary commands and steal credentials by exploiting how the tool handles environment variables, file paths, and authentication helpers.

Vulnerabilities summary:

All flaws are collectively reported as CVE-2026-35022 (CVSS score 9.8)

VULN-01 -A command injection vulnerability in the command lookup utility that occurs when the tool reads the TERMINAL environment variable. The Node.js runtime path interpolates this variable into a shell command string, allowing attackers to run arbitrary code by placing metacharacters in .env files or CI/CD configs. This flaw requires no user interaction and allows full access to the user's permission set.
VULN-02 - A shell injection flaw in the editor invocation subsystem that triggers when processing crafted file paths. The system places file paths inside double quotes within a shell string, but POSIX shell rules still evaluate command substitutions like $() or backticks in this context. Attackers can execute commands by creating files with malicious names in a repository that the user then opens with the CLI.
VULN-03 - A command injection vulnerability in the authentication helper subsystem that allows for remote credential exfiltration. The CLI executes helper commands from settings with full shell interpretation and skips trust dialogs in non-interactive mode. This allows attackers to steal AWS, GCP, and Anthropic API keys from CI/CD runners by modifying workspace settings via a pull request.

Successful exploitation allows attackers to move laterally through corporate networks or exfiltrate sensitive environment variables, including cloud IAM roles and deployment keys. Because the authentication helpers run before the agent's security sandbox, they bypass all built-in permission checks and dangerous-pattern blocking.

In automated environments, these flaws enable Poisoned Pipeline Execution, where a single malicious pull request can compromise an entire software supply chain.

The vulnerabilities affect CLI version 0.2.87 and Claude Code version 2.1.87.

Users should immediately stop using authentication helpers and instead set the ANTHROPIC_API_KEY environment variable directly to bypass the vulnerable execution path.

Security teams should audit CI/CD pipelines to ensure the CLI does not run against untrusted pull requests or fork-contributed workspaces in non-interactive mode. Anthropic recommends that developers review .claude/settings.json changes with the same level of scrutiny as code changes. Future updates should replace shell-string execution with argv-based process spawning and implement strict metacharacter rejection for all configuration-sourced strings.

Anthropic Claude Code Leak Reveals Critical Command Injection Vulnerabilities