Security Researchers Demonstrate C2-Like Attacks Using Anthropic's Claude Code Background Agents
Key Takeaways
- ▸Claude Code's background sessions create a new security boundary that traditional security tools may not detect or monitor
- ▸The supervisor daemon runs independently of user terminals, enabling persistence even after shell termination
- ▸Attackers with initial local access could use Markdown and JSON files to establish long-lived C2-like agents
Summary
Security researchers have identified significant security vulnerabilities in Anthropic's Claude Code, demonstrating how attackers could exploit background AI agents to create persistent command-and-control-like infrastructure. The vulnerability leverages Claude Code's powerful features—including code execution, file access, and persistent background sessions—to establish mostly invisible, persistent agents after initial local code execution. The issue stems from the "supervisor process" architecture introduced in Claude Code v2.1.139, which manages background sessions independently of the terminal that spawned them, creating a security boundary problem that developers and security teams need to understand.
The research, conducted by Lucas Luitjes and Mitchell Turner, details how the supervisor process works as an undocumented local control plane. Through reverse engineering of the daemon process using Ghidra, they mapped the IPC communication channels (named pipes on Windows, Unix domain sockets on Linux/macOS) that the Claude CLI uses to manage background worker processes. The attack vector requires initial local code execution but then enables persistent, long-running agents that survive terminal closure, SSH disconnection, and shell restarts—making detection and remediation significantly more difficult than traditional persistence mechanisms.
- The vulnerability underscores the challenges security teams face with powerful agentic tools operating at the system level
Editorial Opinion
This research highlights a critical gap in security awareness around modern agentic development tools. While Claude Code's persistent background sessions are powerful for legitimate developer workflows, Anthropic and security teams must establish clearer threat models and detection mechanisms for these new attack surfaces. The ability to maintain persistent agents through undocumented supervisor processes raises important questions about security-by-design principles for AI tools operating at system level. Developers should be aware of these risks in shared or untrusted environments, and Anthropic should consider providing built-in security auditing and hardening options for background sessions.
