Claude Code flaws allow remote code execution and API key theft via untrusted repositories; three bugs fixed across 2025–2026 releases.
Claude Code would execute hidden code from untrusted projects before any user confirmation, Check Point reports.