Anthropic Leak Exposes Claude Code Command Injection

Anthropic's internal Claude Code client was accidentally exposed when a 59.8 MB JavaScript source map in the npm package @anthropic-ai/claude-code revealed roughly 513,000 lines across 1,906 files. Public analysis of the leak found three critical command injection vulnerabilities, collectively cataloged as CVE-2026-35022 with a CVSS score of 9.8. The code base was downloaded from Anthropic's Cloudflare R2 bucket, mirrored on GitHub, and forked widely, creating a broad attack surface for both automated scanners and manual adversary work.

The three distinct vulnerabilities target how the CLI, agent, and SDK construct and invoke shell commands and authentication helpers. Practical practitioner takeaways:

• •VULN-01: A command lookup utility interpolates the TERMINAL environment variable into a shell command string, enabling arbitrary command execution without user interaction when attackers inject shell metacharacters into .env files or CI/CD configs.
• •VULN-02: The editor invocation subsystem places file paths inside a shell string with double quotes, but POSIX still evaluates $(...) and backticks inside double quotes. A repository containing files with crafted names can cause the CLI to execute injected commands when those files are opened.
• •VULN-03: The authentication helper subsystem executes configured helper commands with full shell interpretation and skips trust dialogs in non-interactive environments. Attackers can slip a malicious helper into workspace settings via a pull request and exfiltrate AWS, GCP, or Anthropic API keys from CI/CD runners or developer machines.

The combination of an accidental full-source exposure and multiple high-severity command injection vectors makes this different from a routine bug patch. The leaked codebase gives defenders and adversaries the same level of insight into internal command construction, default behaviors, and edge-case handling. ThreatLabz at Zscaler documented active abuse patterns, including lure repositories distributing known malware families such as Vidar and Ghostsocks that weaponize the leak. The mass mirroring and rapid forking on GitHub mean malicious modifications can spread and be mistaken for legitimate community forks.

Practitioners should assume compromise is feasible and respond on two fronts: remediation and containment. Prioritize patching to the latest Claude Code release and remove usage of authentication helper chains. Use ANTHROPIC_API_KEY set in environment variables or secure vaults instead of helper processes. Audit and treat .claude/settings.json changes like code changes in PR reviews. Never run Claude Code CLI with shell/tool access against untrusted repositories or inside CI runners without strict sandboxing and ephemeral credentials. Implement Zero Trust developer workstation controls, network egress restrictions, and telemetry to detect unexpected shell invocations or outbound connections.

Monitor Anthropic's official patches and advisories, GitHub mirrors for malicious pull requests or packages, and vendor telemetry for post-exploitation indicators such as credential leakage attempts or suspicious helper executions. Expect coordinated attempts to weaponize the leak through lure repositories and npm typosquats; defensive controls should prioritize blocking and detection of such supply-chain vectors.