Anthropic’s Claude Code trust bypass exposed

Classic configuration bugs can still punch through the fanciest AI tooling.

• –The flaw wasn’t a prompt injection or model failure; it was a trust-boundary mistake in how repository settings were loaded.
• –A malicious repo could silently push Claude Code into a permissive mode before the user had a chance to approve the workspace.
• –This is a good reminder that agentic coding tools inherit all the old-school security problems of CLIs, IDEs, and package managers.
• –For teams adopting AI devtools, version pinning and repo hygiene are as important as the model itself.