I had a slightly horrifying realization today about Claude Code as a vector for a (meta?) supply chain attack[1].
Boris Cherny (the primary contributor to Claude Code) no longer uses an IDE to code, but instead uses Claude Code itself. He merges a mildly superhuman amount of code.
@bcherny 2025-12-27 In the last thirty days, I landed 259 PRs -- 497 commits, 40k lines added, 38k lines removed. Every single line was written by Claude Code + Opus 4.5
He uses a few MCP servers, including one that can view Sentry logs (which can contain user-generated content)
@bcherny 2026-01-02 11/ Claude Code uses all my tools for me. It often searches and posts to Slack (via the MCP server), runs BigQuery queries to answer analytics questions (using bq CLI), grabs error logs from Sentry, etc. The Slack MCP configuration is checked into our .mcp.json and shared with the team
He also has some commands on the allow-list which can execute code on his computer
@bcherny 2026-01-02 10/ I don’t use—dangerously-skip-permissions. Instead, I use /permissions to pre-allow common bash commands that I know are safe in my environment, to avoid unnecessary permission prompts. [screenshot of allow tab of Claude Code /permissions screen, showing that Bash(find:*) is one of the allowed commands]
The find command can execute arbitrary code, including things like “commit code and open a pull request”
$ find . -mindepth 0 -maxdepth 0 -exec bash -c 'echo "any arbitrary code can run here"' ';'
any arbitrary code can run here
Any compromised machine would have claude code already installed and generally already authed, and so a malicious Claude Code instance could poke around on that machine
Many developers run Claude Code on machines that have lots of juicy secrets stored in not very secure ways
Sometimes they even run scripts which invoke the claude command in a loop such that auto-updated code would be executed pretty much immediately. e.g.: Ralph does
while true; do
...
if should_halt_execution; then
...
break
fi
...
execute_claude_code "$loop_count"
...
done
This feels like the setup to a meta supply chain attack waiting to happen, which would result in lots of dev machines being compromised at once by an auto-update. The only thing standing in the way of this supply chain attack seems to be code review by the few people at anthropic who have access to the Claude Code source[2].
Not sure this is quite the right terminology, but it feels similar in spirit to the thing where npm dev dependencies can run code on install, and when they get hijacked can result in a script sniffing the dev’s machines for tokens, crypto wallets, etc
I had a slightly horrifying realization today about Claude Code as a vector for a (meta?) supply chain attack [1] .
Boris Cherny (the primary contributor to Claude Code) no longer uses an IDE to code, but instead uses Claude Code itself. He merges a mildly superhuman amount of code.
He uses a few MCP servers, including one that can view Sentry logs (which can contain user-generated content)
He also has some commands on the allow-list which can execute code on his computer
The
findcommand can execute arbitrary code, including things like “commit code and open a pull request”Prompt injection is still not a solved problem.
Claude Code auto-updates
Any compromised machine would have claude code already installed and generally already authed, and so a malicious Claude Code instance could poke around on that machine
Many developers run Claude Code on machines that have lots of juicy secrets stored in not very secure ways
Sometimes they even run scripts which invoke the
claudecommand in a loop such that auto-updated code would be executed pretty much immediately. e.g.: Ralph doesThis feels like the setup to a meta supply chain attack waiting to happen, which would result in lots of dev machines being compromised at once by an auto-update. The only thing standing in the way of this supply chain attack seems to be code review by the few people at anthropic who have access to the Claude Code source [2] .
Not sure this is quite the right terminology, but it feels similar in spirit to the thing where npm dev dependencies can run code on install, and when they get hijacked can result in a script sniffing the dev’s machines for tokens, crypto wallets, etc
Claude Code is not open source, so we don’t get the “many eyes” benefits here either
I think we should just assume that Claude Code has already been attacked by multiple fronts.