{"id":3812,"date":"2026-04-09T12:13:22","date_gmt":"2026-04-09T12:13:22","guid":{"rendered":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/04\/09\/layerx-anthropics-claude-code-can-easily-be-easily-weaponized\/"},"modified":"2026-04-09T12:13:22","modified_gmt":"2026-04-09T12:13:22","slug":"layerx-anthropics-claude-code-can-easily-be-easily-weaponized","status":"publish","type":"post","link":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/2026\/04\/09\/layerx-anthropics-claude-code-can-easily-be-easily-weaponized\/","title":{"rendered":"LayerX: Anthropic\u2019s Claude Code Can Easily Be Easily Weaponized"},"content":{"rendered":"<div><img data-opt-id=1179980539  fetchpriority=\"high\" decoding=\"async\" width=\"770\" height=\"329\" src=\"https:\/\/devops.com\/wp-content\/uploads\/2022\/02\/coding-gb646cb77a_1280-e1644931732205.jpg\" class=\"attachment-large size-large wp-post-image\" alt=\"AI coding, teams, vibecoding, shadow, vibecoding vibe, coding, GitHub, agents, Gemini, Canvas, Gemini, code, Augment Code, code, kernel compliance-as-code software secure software Terraform infrastructure\" \/><\/div>\n<p><img data-opt-id=536178619  fetchpriority=\"high\" decoding=\"async\" width=\"150\" height=\"150\" src=\"https:\/\/devops.com\/wp-content\/uploads\/2022\/02\/coding-gb646cb77a_1280-e1644931732205-150x150.jpg\" class=\"attachment-thumbnail size-thumbnail wp-post-image\" alt=\"AI coding, teams, vibecoding, shadow, vibecoding vibe, coding, GitHub, agents, Gemini, Canvas, Gemini, code, Augment Code, code, kernel compliance-as-code software secure software Terraform infrastructure\" \/><\/p>\n<p>Like other AI model vendors, Anthropic relies on guardrails to ensure that its Claude family of models can\u2019t be abused by bad actors to bypass those security protections and take actions that go against them.<\/p>\n<p>However, researchers with LayerX found that the <a href=\"https:\/\/devops.com\/claude-code-quota-limits-usage-problems\/\" target=\"_blank\" rel=\"noopener\">protections for Claude Code<\/a>, Anthropic\u2019s popular coding tool used by more than 115,000 developers, can easily be hacked, turning it \u201cfrom a \u2018vibe\u2019 coding tool into a nation-state-level offensive hacking tool that can be used to hack websites, launch cyberattacks, and research new vulnerabilities,\u201d Roy Paz, principal security researcher for the AI and browser security company, <a href=\"https:\/\/layerxsecurity.com\/blog\/vibe-hacking-claude-code-can-be-turned-into-a-nation-state-level-attack-tool-with-no-coding-at-all\/\" target=\"_blank\" rel=\"noopener\">wrote in a report<\/a>.<\/p>\n<p>\u201cOur research demonstrates how trivially easy it is to convince Claude Code to abandon its safety guardrails and remove its restrictions on what it is allowed to do,\u201d Paz wrote.<\/p>\n<p>Hackers don\u2019t need a deep understanding of cybersecurity or software development, he wrote. They can make Claude Code into a weapon by using an account for the AI model, saving them the effort needed to create a botnet.<\/p>\n<h3>In the Shadow of Mythos Preview<\/h3>\n<p>LayerX\u2019s report comes with the backdrop of Anthropic a day earlier, saying that it would not make its latest frontier AI model, Claude Mythos Preview, widely available because its advanced capabilities in detecting and remediating software vulnerabilities, coding, and reasoning would make it a formidable weapon in the hands of bad actors. It is also the foundation of <a href=\"https:\/\/securityboulevard.com\/2026\/04\/anthropic-unveils-restricted-ai-cyber-model-in-unprecedented-industry-alliance\/\" target=\"_blank\" rel=\"noopener\">Anthropic\u2019s new Project Glasswing<\/a>, which will focus on improving cybersecurity in software.<\/p>\n<p>Now comes LayerX\u2019s report about Claude Code. A key issue in this case is trust.<\/p>\n<p>\u201cAnthropic inherently trusts the developers who use Claude Code, and for good reason: The vast majority of them are doing exactly what they should be doing,\u201d Paz wrote. \u201cBut this trust can be exploited, and a bad actor with a good understanding of Claude Code can convince it to take actions that would otherwise be refused unconditionally.\u201d<\/p>\n<h3>Developers Need Autonomous Tools<\/h3>\n<p>There are features in Claude Code that make it vulnerable to the type of attack described by LayerX. Many AI tools run on browsers. However, Claude Code runs on a developer\u2019s local machine in a terminal, integrated development environment (IDE), or desktop application. It\u2019s also an agentic tool \u2013 it is designed to run jobs independently with minimal human interaction.<\/p>\n<p>\u201cA developer can describe a project goal (\u2018Find the bug that\u2019s causing this error, see if it exists anywhere else in our code base, and fix it.\u2019), and Claude Code will then kick off a series of commands and actions with little to no user intervention,\u201d Paz wrote.<\/p>\n<p>Also, with Claude Code, system prompts are put in the CLAUDE.md file. It\u2019s a configuration file kept in the model\u2019s root directory and essentially is a permanent instruction manual running in the project\u2019s background. It\u2019s kept in the code repository and included whenever a project is cloned, so anyone with write permissions and edit the file for a project.<\/p>\n<p>\u201cInstead of re-typing that context every time, a developer can simply place it in the\u00a0CLAUDE.md\u00a0file,\u201d he wrote. \u201cIt will live indefinitely, and most likely remain unchanged throughout the project\u2019s life. This unremarkable file is suddenly an attack surface.\u201d<\/p>\n<h3>Broader Permissions<\/h3>\n<p>Like other Anthropic models, Claude Code comes with guardrails. However, Claude Code comes with a wider set of permissions for developers who need it to work autonomously. It\u2019s more useful with such permissions, but it also opens it up to exploitation.<\/p>\n<p>LayerX researchers were able to direct Claude Code to bypass guardrails and automatically attack a test app. They did this by telling Claude Code that they were running a test against their own site and had permission to do everything that is asked. Through this technique, they were able to convince the coding model to create and execute SQLi commands and CURL request and to dump the database of usernames and passwords.<\/p>\n<p>The researchers also convinced Claude to share a malicious public repository, and were able to quietly modify an existing CLAUDE.md file, with the change not being flagged because no one treats the file as sensitive.<\/p>\n<p>\u201cFrom then on, every developer who uses Claude Code on the project inherits the malicious instructions without knowing it,\u201d he wrote.<\/p>\n<h3>Any User is Vulnerable<\/h3>\n<p>Paz added that every development team that uses Claude Code is vulnerable because CLAUDE.md is part of every project in the coding model.<\/p>\n<p>\u201cUntil now [it] has been generally ignored by both developers and security practitioners,\u201d he wrote. \u201cAnd yes, this includes the security teams whose job is to\u00a0<em>mis<\/em>trust.\u201d<\/p>\n<p>Paz wrote that LayerX submitted its finding through Anthropic\u2019s HackerOne program, but that the AI vendor closed the report and referred them to a different Anthropic reporting program. Messages sent to other email accounts in Anthropic\u2019s message were not answered.<\/p>\n<p>DevOps has reached out to Anthropic for comment and will update the story when the company responds.<\/p>\n<p><a href=\"https:\/\/devops.com\/layerx-anthropics-claude-code-can-easily-be-easily-weaponized\/\" target=\"_blank\" class=\"feedzy-rss-link-icon\">Read More<\/a><\/p>\n<p>\u200b<\/p>","protected":false},"excerpt":{"rendered":"<p>Like other AI model vendors, Anthropic relies on guardrails to ensure that its Claude family of models can\u2019t be abused [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":3813,"comment_status":"","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[5],"tags":[],"class_list":["post-3812","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-devops"],"_links":{"self":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/3812","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/comments?post=3812"}],"version-history":[{"count":0,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/posts\/3812\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media\/3813"}],"wp:attachment":[{"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/media?parent=3812"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/categories?post=3812"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/rssfeedtelegrambot.bnaya.co.il\/index.php\/wp-json\/wp\/v2\/tags?post=3812"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}