Config Files as Execution Primitives: Critical Supply Chain Vulnerability Revealed in Claude Code, VS Code, and Package Managers

Key Takeaways

▸Session start hooks in Claude Code and Gemini CLI, combined with similar config mechanisms in VS Code, npm, Composer, and Bundler, allow automatic execution of arbitrary shell commands without robust security controls
▸Miasma worm campaign exploited this vector across 121+ repositories, using Caesar-cipher-obfuscated droppers and AES encryption to steal multi-platform credentials before developers review code
▸Developers routinely bypass trust prompts without reading them, making config file execution particularly dangerous as an attack surface

Source:

Hacker Newshttps://safedep.io/config-files-that-run-code/↗

Summary

SafeDep security research has identified a critical supply chain vulnerability affecting multiple widely-used development tools, including Claude Code, Cursor, Gemini CLI, VS Code, npm, Composer, and Bundler. Configuration files in these tools can automatically execute arbitrary shell commands when a project is opened—often after a one-time trust prompt that developers routinely dismiss without reading. This vulnerability transforms ordinary config files like .claude/settings.json into execution primitives for supply chain attacks.

The Miasma worm campaign demonstrates real-world exploitation of this vector, compromising 121+ repositories through a single commit to mantine-datatable. The attack uses obfuscated dropper files (4.3 MB encrypted payloads hidden above GitHub's search indexing limits) that exfiltrate credentials from AWS, Azure, GCP, Vault, Kubernetes, npm, and GitHub to attacker-controlled repositories. The vulnerability is particularly dangerous because the actual malicious payload resides in a legitimate-looking config file that most developers never review.

The obfuscation pattern (numeric array + rotation cipher + eval wrapper + encrypted payload) is being reused across multiple separate malware campaigns, indicating the vulnerability is actively exploited at scale
Config file injection now ranks alongside malicious dependencies as an established supply chain attack primitive, but receives virtually no scrutiny in code reviews

Editorial Opinion

This research exposes a fundamental design vulnerability in how modern development tools prioritize convenience over security. Claude Code's SessionStart hooks, like similar mechanisms in competing tools, execute code from config files that most developers never audit. The dismissible trust prompt offers only theatrical security—developers click through without reading. These tools should either eliminate config-based code execution entirely or implement mandatory, explicit review workflows for any config that can run commands.

Config Files as Execution Primitives: Critical Supply Chain Vulnerability Revealed in Claude Code, VS Code, and Package Managers

Key Takeaways

▸Session start hooks in Claude Code and Gemini CLI, combined with similar config mechanisms in VS Code, npm, Composer, and Bundler, allow automatic execution of arbitrary shell commands without robust security controls
▸Miasma worm campaign exploited this vector across 121+ repositories, using Caesar-cipher-obfuscated droppers and AES encryption to steal multi-platform credentials before developers review code
▸Developers routinely bypass trust prompts without reading them, making config file execution particularly dangerous as an attack surface

Summary

The obfuscation pattern (numeric array + rotation cipher + eval wrapper + encrypted payload) is being reused across multiple separate malware campaigns, indicating the vulnerability is actively exploited at scale
Config file injection now ranks alongside malicious dependencies as an established supply chain attack primitive, but receives virtually no scrutiny in code reviews

Editorial Opinion

This research exposes a fundamental design vulnerability in how modern development tools prioritize convenience over security. Claude Code's SessionStart hooks, like similar mechanisms in competing tools, execute code from config files that most developers never audit. The dismissible trust prompt offers only theatrical security—developers click through without reading. These tools should either eliminate config-based code execution entirely or implement mandatory, explicit review workflows for any config that can run commands.

Config Files as Execution Primitives: Critical Supply Chain Vulnerability Revealed in Claude Code, VS Code, and Package Managers

Key Takeaways

Summary

Editorial Opinion

More from Anthropic

Anthropic Releases Chemistry White Paper: Demonstrating Claude's NMR and Structure Analysis Abilities

Researchers Face Six-Figure AI Bills: Stanford's James Zou Questions Return on Investment

AI Companies Adopt Serif Fonts to Project Humanity and Build Trust

Comments

Suggested

NeurIPS 2026 Desk-Rejects 18% of Position Papers Over AI Generation, Using Pangram Detection

DuckDuckGo Launches Free, Private AI Chat Service

Gemini's Cache Feature Bug Causes $1,000 Per Hour Billing Overcharges

Config Files as Execution Primitives: Critical Supply Chain Vulnerability Revealed in Claude Code, VS Code, and Package Managers

Key Takeaways

Summary

Editorial Opinion

More from Anthropic

Anthropic Releases Chemistry White Paper: Demonstrating Claude's NMR and Structure Analysis Abilities

Researchers Face Six-Figure AI Bills: Stanford's James Zou Questions Return on Investment

AI Companies Adopt Serif Fonts to Project Humanity and Build Trust

Comments

Suggested

NeurIPS 2026 Desk-Rejects 18% of Position Papers Over AI Generation, Using Pangram Detection

DuckDuckGo Launches Free, Private AI Chat Service

Gemini's Cache Feature Bug Causes $1,000 Per Hour Billing Overcharges