A security audit of Claude Code confirmed a working remote code execution (RCE) vulnerability - the most serious class of software flaw, where an attacker can cause arbitrary commands to run on your machine without your permission. The attack path runs through environment variable injection.
Environment variables are named settings that programs read when they start up. Every terminal session has them. Your PATH variable tells the shell where to find programs; HOME points to your home directory. AI coding tools like Claude Code rely on them for API keys, configuration paths, and runtime behavior. Injecting a malicious value into that layer can redirect where the program looks for things - or what it executes.
How the Attack Works
Researchers at Audited.xyz found that Claude Code doesn't adequately sanitize (clean and validate) environment variable inputs before acting on them. A malicious repository, a specially crafted project file, or a compromised package could set environment variables that cause Claude Code to run attacker-controlled commands.
Claude Code operates in your terminal with your user-level permissions. That's intentional - it needs those permissions to edit files, run tests, and install packages. But it means any command triggered through this vulnerability runs with full access to everything you can access: SSH keys, local files, and cloud credentials stored in shell environment variables.
Steps Developers Should Take Now
Be cautious about running Claude Code against repositories you don't fully control. Third-party repos, community forks, and packages arriving via dependencies all expand the attack surface.
Audit what environment variables are active in your terminal sessions before running Claude Code. AWS keys, GitHub tokens, and other service credentials sitting in your shell environment are readable by anything running in that session - store them in a secrets manager and inject them only when needed.
As of the audit's publication, Anthropic had not publicly acknowledged or patched this finding. Watch for an official response before treating Claude Code as safe in environments where credential exposure would be damaging.
The broader point is that terminal-based AI coding agents represent a new security category that auditors are only beginning to examine systematically. They're designed to do a lot - read files, write code, execute shell commands - which is precisely what makes unintended execution dangerous. This finding is unlikely to be the last of its kind.