Critical Claude Code Vulnerability Found: Opening Projects Executes Hacker's Commands

Security researchers have discovered a critical vulnerability in Claude Code that allows attackers to automatically execute arbitrary commands by crafting malicious project files when users open the project. The vulnerability has since been patched.

Vulnerability Details

According to CyberNews, this security vulnerability was discovered on March 4, 2026. Attackers can create a malicious project that automatically executes preset malicious commands when users open the project with Claude Code.

This means attackers can:

Remotely execute code without user knowledge

Steal user sensitive data

Gain system control permissions

Remotely execute code without user knowledge

Steal user sensitive data

Gain system control permissions

Impact Scope

Claude Code is an AI programming assistant launched by Anthropic and is widely used in the developer community. This vulnerability affected a broad range of users.

Fortunately, Anthropic quickly patched the vulnerability after receiving the report and released a security update.

Security Recommendations

Security experts recommend users take the following steps:

Ensure using the latest version of Claude Code

Be cautious when opening project files from unknown sources

Regularly check for security updates

Use sandbox environments when handling suspicious projects

Ensure using the latest version of Claude Code

Be cautious when opening project files from unknown sources

Regularly check for security updates

Use sandbox environments when handling suspicious projects

This is another AI tool security incident in recent times, reminding us that while enjoying the convenience brought by AI, we also need to pay attention to security issues.

Reference: CyberNews, The Register