What is the Claude Code vulnerability exactly?

It's a bypass in the permission system: over 50 subcommands skips deny rules silently, letting hidden malice run via prompt-injected pipelines.

How did the Claude Code source leak happen?

Accidental npm upload with debugging sourcemap, de-obfuscating 512k lines of TypeScript — now public forever, minus weights.

Can I still safely use Claude Code?

Yes, with caveats: vet repos, tighten denies, watch for odd 'ask' prompts on big chains — patch incoming, hopefully.

🦠 Ransomware & Malware

Claude Code's 50-Command Cap: The Bypass That Unlocks Your Dev Machine

Anthropic's Claude Code hit a double whammy: a source leak followed by a permission system flaw that skips deny rules entirely. Developers, your SSH keys might be next if you're not careful.

Threat Digest Apr 03, 2026 4 min read 12 views

Code snippet showing Claude Code permission bypass via subcommand overflow

⚡ Key Takeaways

Source leak exposed Claude Code blueprint but no core IP; enables mimicry attacks. 𝕏
Critical vuln bypasses deny rules via 50-subcommand cap, risking credential theft from malicious repos. 𝕏
Architectural lesson: Performance tweaks undermine agent security; proactive verification needed next. 𝕏

Published by

Threat Digest

Threat intelligence. Zero noise.

#AI agent security #Anthropic leak #Anthropic source leak #Claude Code vulnerability #permission bypass #prompt injection

Worth sharing?

Get the best Cybersecurity stories of the week in your inbox — no noise, no spam.

Originally reported by SecurityWeek

⚡ Key Takeaways

The 60-Second TL;DR

Threat Digest

Share this article

Worth sharing?

Related Stories

GCP Vertex AI's Hidden Trap: How AI Agents Become Corporate Double Agents

Meta Safety Boss Races to Stop OpenClaw from Wiping Her Inbox

Agentic AI Agents Are Poised to Hijack Your Holiday Gift Cards

ChatGPT's One-Prompt Data Heist: Your Secrets Just Got Leaky

Stay in the loop