Anthropic under scrutiny after Claude tool leaks code, keys

Anthropic is under scrutiny after security researchers found multiple vulnerabilities in Claude Code that allowed remote code execution, theft of API keys and the accidental publication of roughly 512,000 lines of internal source code.

Four independent research teams concluded the issues stem from an architectural error in how Claude’s developer tooling trusts user-supplied commands across several product surfaces. In January 2026, a flaw tracked as CVE-2026-21852 showed a malicious repository could trigger API key leakage from Claude Code; Anthropic issued a patch in version 2.0.65. In March 2026 Anthropic unintentionally published about 512,000 lines of Claude Code’s internal source via an npm package. Additional disclosures described paths that could allow full remote code execution on systems using the tool.

The technical problems involve how Claude Code processes external inputs and how different interfaces accept and act on user commands. Researchers reported that those trust boundaries created blind spots that attackers could exploit to run arbitrary code and extract credentials.

Researchers also raised governance concerns about Anthropic’s Mythos-class vulnerability scanners. Those scanners can target any codebase, and researchers flagged gaps in policies that govern their use, including a lack of clear rules about permissible targets and oversight that could permit unauthorized review of external code.

Separately, customers and researchers reported declines in Claude’s model quality after recent system changes. Developers described more forgetful and repetitive responses that affected coding workflows and tooling reliability.

Security teams warned that the public availability of internal source code could enable attackers to identify further exploitation paths that bypass existing fixes. They recommended that organizations using Claude Code audit credential exposure and review any work performed on versions released before 2.0.65.

Anthropic applied the January patch and has removed the published npm package. The disclosures unfolded over several months and prompted calls for audits of credential practices and clearer governance for internal scanning tools.