CRITICAL 3 min read 4 Apr 2026

Anthropic Claude Code Source Leak — RCE via AI Agent Project Hooks

The inadvertent leak of Anthropic Claude Code (59.8 MB) source on npm has exposed a critical vulnerability in AI agent project hooks (.claude/settings.json). This enables unauthenticated Remote Code Execution (RCE) and credential exfiltration through unvetted repositories.

Key findings
01
Anthropic Claude Code Source Leak and RCE Hook
HIGH
[High] Confidence: High A significant intelligence breach has been confirmed following the accidental release of the full source code for Anthropic's Claude Code (59.8 MB) onto the public npm registry.
02
Cisco IMC Remote Root Access (CVE-2026-20093)
CRITICAL
[High] Confidence: High A critical authentication bypass vulnerability (CVE-2026-20093, CVSS 9.8) has been disclosed in the Cisco Integrated Management Controller (IMC). This flaw allows a remote, unauthenticated attacker to gain full root-level access to the server management interface.
CVE-2026-20093
03
Nginx UI Unauthenticated Takeover (CVE-2026-33032)
CRITICAL
[High] Confidence: High The Nginx UI management interface is subject to a critical unauthenticated service takeover (CVE-2026-33032, CVSS 9.8). This vulnerability allows a remote attacker to assume administrative control of the Nginx configuration, enabling traffic interception, certificate theft, and the deployment of malicious proxy rules.
CVE-2026-33032
04
Azure AKS Privilege Escalation (CVE-2026-33105)
CRITICAL
[High] Confidence: High A critical privilege escalation vulnerability (CVE-2026-33105, CVSS 10.0) has been identified in the Azure Kubernetes Service (AKS). This flaw allows an attacker with limited access to a cluster node to escalate privileges to cluster administrator, effectively gaining control over all workloads and secrets within the environment.
CVE-2026-33105
05
APT29 GRAPELOADER Campaign
HIGH
[High] Confidence: High The Russian SVR-nexus group APT29 has deployed a new malware family, dubbed GRAPELOADER, in a targeted campaign against European diplomats. The group is utilising sophisticated wine-tasting invitation lures to deliver the payload.
APT29
06
Update: LiteLLM / Mercor AI 4TB Breach
HIGH
[High] Confidence: High Update: The Mercor AI breach has been confirmed as a 4TB data loss. Furthermore, CERT-EU has identified 92GB of stolen data affecting 30 European entities, traced back to a compromised Trivy scanner in the LiteLLM supply chain.
07
Update: F5 BIG-IP 9.8 RCE (CVE-2025-53521)
CRITICAL
[High] Confidence: High Update: CVE-2025-53521 has been upgraded to a 9.8 CVSS unauthenticated RCE. Active exploitation is widespread; immediate patching to version 21.0.0 or equivalent fixed releases is mandatory for all F5 BIG-IP APM users.
CVE-2025-53521
08
Update: Axios npm North Korea Attribution
CRITICAL
[High] Confidence: High Update: The Axios npm package hijack has been definitively attributed to the North Korean state actor UNC1069. The attack delivered the WAVESHAPER.V2 RAT, targeting developer environments for credential theft.

Anthropic Claude Code Source Leak — RCE via AI Agent Project Hooks

Anthropic Claude Code Source Leak and RCE Hook

Confidence: High

A significant intelligence breach has been confirmed following the accidental release of the full source code for Anthropic's Claude Code (59.8 MB) onto the public npm registry. Analysis of the leaked repository reveals that the agent’s project-level configuration file, .claude/settings.json, can be weaponised to execute arbitrary commands or exfiltrate environment variables.

This vulnerability allows a malicious actor to commit a repository containing a crafted settings file; when an unsuspecting developer runs Claude Code within that directory, the agent will execute the attacker-defined hooks. This poses an immediate risk to any organisation using AI-assisted development tools without strict repository vetting and execution sandboxing.

Cisco IMC Remote Root Access (CVE-2026-20093)

Confidence: High

A critical authentication bypass vulnerability (CVE-2026-20093, CVSS 9.8) has been disclosed in the Cisco Integrated Management Controller (IMC). This flaw allows a remote, unauthenticated attacker to gain full root-level access to the server management interface.

Given that IMC is used for the management and monitoring of Cisco UCS C-Series Rack Servers and S-Series Storage Servers, this exposure provides a direct path to the underlying hardware and potentially the guest virtual machines. Organisations must apply the urgent firmware update or isolate management interfaces from the public internet immediately.

Nginx UI Unauthenticated Takeover (CVE-2026-33032)

Confidence: High

The Nginx UI management interface is subject to a critical unauthenticated service takeover (CVE-2026-33032, CVSS 9.8). This vulnerability allows a remote attacker to assume administrative control of the Nginx configuration, enabling traffic interception, certificate theft, and the deployment of malicious proxy rules.

As there is currently no official patch available from the maintainer, remediation is limited to network-level isolation or the complete removal of the Nginx UI component. This represents a severe risk to web infrastructure relying on this tool for configuration management.

Azure AKS Privilege Escalation (CVE-2026-33105)

Confidence: High

A critical privilege escalation vulnerability (CVE-2026-33105, CVSS 10.0) has been identified in the Azure Kubernetes Service (AKS). This flaw allows an attacker with limited access to a cluster node to escalate privileges to cluster administrator, effectively gaining control over all workloads and secrets within the environment.

APT29 GRAPELOADER Campaign

Confidence: High

The Russian SVR-nexus group APT29 has deployed a new malware family, dubbed GRAPELOADER, in a targeted campaign against European diplomats. The group is utilising sophisticated wine-tasting invitation lures to deliver the payload. This activity underscores a shift in APT29’s TTPs toward more culturally specific social engineering tactics within the EU diplomatic sphere.

Update: LiteLLM / Mercor AI 4TB Breach

Confidence: High

Update: The Mercor AI breach has been confirmed as a 4TB data loss. Furthermore, CERT-EU has identified 92GB of stolen data affecting 30 European entities, traced back to a compromised Trivy scanner in the LiteLLM supply chain.

Update: F5 BIG-IP 9.8 RCE (CVE-2025-53521)

Confidence: High

Update: CVE-2025-53521 has been upgraded to a 9.8 CVSS unauthenticated RCE. Active exploitation is widespread; immediate patching to version 21.0.0 or equivalent fixed releases is mandatory for all F5 BIG-IP APM users.

Update: Axios npm North Korea Attribution

Confidence: High

Update: The Axios npm package hijack has been definitively attributed to the North Korean state actor UNC1069. The attack delivered the WAVESHAPER.V2 RAT, targeting developer environments for credential theft.

Why This Matters

The weaponisation of AI agent infrastructure (Claude Code, Nginx UI, LiteLLM) indicates a new frontier in supply chain attacks. Developers are now primary targets for unauthenticated RCE via the tools designed to assist them, whilst critical management interfaces (Cisco IMC, F5) remain under intense unauthenticated exploitation.

  • Recommended Actions
  • Audit all local .claude/ directories and avoid running AI agents in unvetted repositories.
  • Patch Cisco IMC (CVE-2026-20093) and F5 BIG-IP (CVE-2025-53521) management interfaces immediately.
  • Isolate Nginx UI instances (CVE-2026-33032) behind a firewall or VPN until a patch is released.
  • Verify Azure AKS configurations and apply relevant security updates for CVE-2026-33105.

All findings grounded in A13E intelligence sweeps through 04:30 UTC 04 April 2026.

ai-agent-securityanthropicapt29claude-codecve-2025-53521cve-2026-20093cve-2026-33032cve-2026-33105npm-leakrce

Act on this brief

Map detection coverage gaps for the techniques above, or generate Sigma rules from the named CVEs.

Try DCV Try CloudSigma ← Back to feed