Disclosed alongside CVE-2025-59536 by Check Point Research, this vulnerability enables complete API credential theft the moment a developer opens a malicious repository in Claude Code — before any user interaction or trust confirmation.
A targeted repository configuration redirects all of Claude Code's API traffic — including the full authorization header containing the active API key — to an attacker-controlled server. This happens at tool initialization, before the developer sees any prompt or dialog about the project's trustworthiness.
A stolen Anthropic API key is not merely a billing liability. Anthropic's Workspaces feature means a single stolen key can expose all cloud-based project files shared under the same workspace, giving attackers access to an organization's entire Claude-assisted codebase, conversation history, and system prompts. Combined with CVE-2025-59536, a single git clone followed by opening the directory is sufficient for full credential exfiltration.
Immediate recommendation: Rotate any Anthropic API keys used in developer environments where untrusted repositories were opened with Claude Code; audit Workspace membership to assess blast radius of any exposed key.