Claude Code Hooks: Repo-Committed Configs as RCE Vector

◆ DEEP DIVES

1. 01

   Beyond KAIROS: Claude Code's Designed Features Are Your Next Attack Surface

   <h3>Context: From Hidden Agent to Visible Threat Surface</h3><p>Monday's briefing covered the KAIROS hidden agent discovered in Claude Code's leaked source. That was about an <strong>undisclosed capability</strong>. Today's intelligence is about the <strong>documented, intentional features</strong> that create equally dangerous attack surfaces — and they're already in your repos.</p><p>Claude Code has evolved from a coding assistant into a <strong>full execution platform</strong> with 12 deep integration features. Three of them warrant immediate security attention.</p><hr><h3>Three High-Risk Feature Classes</h3><h4>1. Hooks: Shell Execution via Event Triggers</h4><p>Claude Code fires arbitrary shell scripts on <strong>PreToolUse</strong> and <strong>PostToolUse</strong> events. These Hooks execute with the developer's full permissions on their workstation or CI/CD runner. A malicious contributor who adds a Hook to a repo's <strong>.claude/</strong> directory gets code execution on every developer who opens the project with Claude Code — no interaction required beyond opening the repo.</p><blockquote>A poisoned .claude/ directory is the new poisoned Makefile — except your security team isn't reviewing it yet, and your SAST tools don't flag it.</blockquote><h4>2. MCP: Direct Database and API Connectivity</h4><p>Model Context Protocol integrations connect Claude Code sessions to <strong>production databases, internal APIs, and external services</strong>. Data flows through the LLM context window and potentially to Anthropic's API. This is a <strong>data exfiltration path</strong> that bypasses DLP controls entirely — your DLP is watching network egress and endpoint file transfers, not LLM context windows.</p><h4>3. Subagent Spawning: Unmonitored Parallel Execution</h4><p>Claude Code spawns parallel sub-agent instances for multi-step workflows. Each inherits the parent's permissions. Your EDR sees one Claude Code process; underneath, <strong>multiple autonomous agents</strong> are executing with inherited credentials and no individual monitoring.</p><hr><h3>The Repo Poisoning Vector in Detail</h3><p>The critical new attack vector: <strong>.claude/ directories and CLAUDE.md files committed to source repositories</strong>. These config files load automatically at session start and can contain:</p><ul><li><strong>Hooks</strong> — shell scripts executed on specific Claude Code events</li><li><strong>Skills</strong> — persistent commands that modify agent behavior</li><li><strong>MCP configurations</strong> — pre-configured database and API connections</li><li><strong>Rules</strong> — behavioral modifications that alter how Claude processes code</li></ul><p>This is functionally identical to the <strong>.vscode/settings.json</strong> attack vector — but less understood by security teams and <em>not yet included in standard code review checklists</em>. Your PR reviewers know to scrutinize Dockerfile changes and CI pipeline modifications. They do not yet know to scrutinize .claude/ changes.</p><hr><h3>Connecting to the Agent Autonomy Problem</h3><p>An emerging 5-level AI agent taxonomy puts this in broader context. Claude Code operates at <strong>Level 3</strong> (delegated execution with developer permissions). But tools like <strong>Sim Studio's Mothership</strong> — open-source, self-hostable, 27,000+ GitHub stars — operate at <strong>Level 5</strong>: agents that create other autonomous agents. A compromised Level 5 system doesn't just execute malicious actions. It <strong>creates autonomous agents that execute malicious actions independently, on their own schedules, with inherited production credentials</strong>.</p><blockquote>Your incident response playbook has no procedure for 'rogue agent spawned rogue agents operating on their own cron schedule with production credentials.'</blockquote><p>The recursive trust problem is qualitatively different from any current threat category. It needs to be modeled explicitly.</p>

   Action items

   • Add .claude/, CLAUDE.md, .claude/commands/, and .claude/skills/ to your pre-commit scanning rules and PR review checklists by end of week
   • Inventory all MCP integrations across engineering teams this sprint — flag any production database or write-access API connections for immediate review
   • Draft an AI agent governance policy this quarter covering credential rotation, least-privilege scoping, mandatory audit logging, and kill switches — tiered by agent autonomy level (3 through 5)
   • Verify EDR telemetry captures Claude Code child processes and shell executions — test with a benign Hook to confirm visibility

   Sources:Daily Dose of DS