Claude Code Bypasses Developer Deny Rules Silently

Anthropic’s code-writing assistant Claude Code fails to apply developer-configured deny rules for compound commands that exceed a hard-coded 50-subcommand threshold. When that limit is reached, the legacy command parser stops evaluating deny rules and reverts to issuing a generic user prompt; in automated environments the prompt can be auto-approved, enabling silent execution of otherwise-blocked actions.

Claude Code supports deny rules to block risky shell actions (curl, rm, etc.) and trusts repository-provided configuration files such as a CLAUDE.md. To limit compute and UI-blocking costs, a legacy parser enforces a maximum of 50 subcommands when performing safety checks. The parser’s behavior is to short-circuit deny-rule processing after the threshold and to fall back to a permissive prompt flow, effectively nullifying safety policy enforcement for overly long compound command sequences.

Adversa’s red team disclosure and subsequent coverage show a practical attack path: publish a repository with a benign-looking CLAUDE.md that lists 50 harmless build steps, then place a malicious command at position 51. When a developer asks Claude Code to run the build, the assistant generates and executes the long command sequence; deny rules are not evaluated, and credentials (SSH keys, cloud API tokens) can be exfiltrated to an attacker server. Multiple security outlets noted the behavior and reported that a fix exists in Anthropic’s codebase. Coverage clustered in early April 2026.

This is not a theoretical model hallucination — it’s a deterministic parser limit that converts a configured defensive policy into silence. Teams embedding Claude Code into developer tooling, CI/CD pipelines, or automated build agents face elevated risk because automation can auto-accept the fallback prompt. The attack leverages supply-chain-style repo poisoning, a realistic vector for open-source-dependent workflows.

What to do and what to watch