Caught in the Hook RCE and API Token Exfiltration Through Cl...

[carlospolop]

🤖 Automated Content Update

This PR was automatically generated by the HackTricks News Bot based on a technical blog post.

📝 Source Information

• Blog URL: https://research.checkpoint.com/2026/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536/
• Blog Title: Caught in the Hook: RCE and API Token Exfiltration Through Claude Code Project Files (CVE-2025-59536, CVE-2026-21852)
• Suggested Section: 🤖 AI Security (add a page on AI CLI/agent supply-chain attacks via repo-controlled config: hooks/MCP consent bypass + endpoint/env var secret exfiltration) or 🤩 Generic Methodologies & Resources -> External Recon/Source Code Review (repo configuration poisoning / workspace trust model)

🎯 Content Summary

Title/Context: Check Point Research analyzed Anthropic’s Claude Code (AI CLI dev agent) and found that repository-embedded configuration files can be weaponized as a supply-chain attack: a victim only needs to clone/open an untrusted repo and run claude. Because Claude Code supports project-level config in .claude/settings.json (inside the repo) and MCP server config in .mcp.json🔧 Technical Details

Repo-defined lifecycle hooks → silent shell execution: If a developer tool supports lifecycle Hooks defined in a repository file (e.g., .claude/settings.json) and those Hooks execute shell commands (e.g., on SessionStart) without a per-command approval gate, an attacker can land supply-chain RCE by committing a hook that runs arbitrary OS commands when collaborators start the tool (e.g., swapping a benign open -na Calculator with a payload download-and-exec / reverse shell).

Consent bypass by making “auto-approval” settings repo-controlled (MCP): If a tool executes project-defined integration/server initialization commands (e.g., MCP servers from .mcp.json), any setting that auto-enables/whitelists those integrations (e.g., enableAllProjectMcpServers, enabledMcpjsonServers) must not be controllable by untrusted repository config. If it is, an attacker can forc...

🤖 Agent Actions

Updated HackTricks with a new section covering Claude Code repo-controlled configuration poisoning and added the blog reference.

Changes

• Added a concise technique-focused section on repo-controlled Hooks/MCP consent bypass/base URL exfiltration and workspace file “regeneration” abuse, plus technical controls.
• Appended the Check Point Research blog to references.

File modified

• src/generic-methodologies-and-resources/phishing-methodology/ai-agent-abuse-local-ai-cli-tools-and-mcp.md

Tests

• Not run (docs-only change).

If you want, I can also cross-link this section from src/AI/AI-MCP-Servers.md or tighten the defensive controls further.

---

This PR was automatically created by the HackTricks Feed Bot. Please review the changes carefully before merging.

[carlospolop]

🔗 Additional Context

Original Blog Post: https://research.checkpoint.com/2026/rce-and-api-token-exfiltration-through-claude-code-project-files-cve-2025-59536/

Content Categories: Based on the analysis, this content was categorized under "🤖 AI Security (add a page on AI CLI/agent supply-chain attacks via repo-controlled config: hooks/MCP consent bypass + endpoint/env var secret exfiltration) or 🤩 Generic Methodologies & Resources -> External Recon/Source Code Review (repo configuration poisoning / workspace trust model)".

Repository Maintenance:

• MD Files Formatting: 949 files processed

Review Notes:

• This content was automatically processed and may require human review for accuracy
• Check that the placement within the repository structure is appropriate
• Verify that all technical details are correct and up-to-date
• All .md files have been checked for proper formatting (headers, includes, etc.)

Bot Version: HackTricks News Bot v1.0

[carlospolop]

merge