Politics

Anthropic’s Claude AI review system can be fooled by spoofed Git identities, raising security alarms

Thursday, 16 April 2026 1:45PM UTC

Researchers demonstrate how malicious actors can exploit metadata in AI-powered review systems, exposing weaknesses in trust-based automation and raising concerns over security in AI-assisted code development.

Anthropic's Claude Code has been shown to approve malicious changes when attackers spoof a trusted maintainer's Git identity, underlining how easily automated review systems can be misled when they treat metadata as proof of trust.

In a demonstration described by Manifold Security, a fake author name and email set in Git were enough to make a commit look as though it came from a respected contributor. The code was then passed through an AI review flow that accepted it, even though the apparent authorship was fabricated. The firm argued that the weakness is not in Git itself, but in the assumption that commit metadata says anything reliable about who actually wrote the code.

That distinction matters because trust-based automation is already common in open-source workflows. Manifold said the logic is understandable: maintainers are overwhelmed, so systems that fast-track well-known contributors can save time. But the same approach becomes risky when identity checks are reduced to org membership, contribution history or a maintainer list, none of which proves authorship. The company compared the issue with recent supply-chain compromises in which malicious code was treated as legitimate long enough to do damage.

The concern also lands against a wider backdrop of security problems in Anthropic's code tooling. GitLab has flagged CVE-2025-59041, in which malicious Git email settings could lead to arbitrary code execution before a workspace-trust prompt appears, while SentinelOne has documented later flaws that could bypass trust dialogs or leak information from attacker-controlled repositories. Separately, The Atlantic reported this week that Anthropic is simultaneously promoting a far more powerful cybersecurity model, Claude Mythos Preview, which the company says is capable of autonomous exploitation work but is being kept from public release because of the risks.

Taken together, the episodes point to the same lesson: identity cues and repository settings should not be treated as security controls. Manifold's conclusion was blunt: if the only thing standing between a bad change and a merge is the model's impression of who sent it, the system is too trusting for its own good.

Source Reference Map

Inspired by headline at: ^[1]

Sources by paragraph:

Paragraph 1: ^[2], ^[3]
Paragraph 2: ^[3], ^[7]
Paragraph 3: ^[4], ^[5], ^[6]
Paragraph 4: ^[2], ^[3], ^[4], ^[5], ^[6]
Paragraph 5: ^[2], ^[3], ^[4], ^[5], ^[6]

Source: Noah Wire Services

More on this

https://www.theregister.com/2026/04/16/git_identity_spoof_claude/ - Please view link - unable to able to access data
https://www.theatlantic.com/technology/2026/04/claude-mythos-hacking/686746/?utm_source=apple_news - The article discusses the recent revelation by AI company Anthropic about its new AI model, Claude Mythos Preview, which reportedly possesses unprecedented cybersecurity capabilities. According to Anthropic, Mythos Preview can autonomously identify and potentially exploit vulnerabilities in virtually all major operating systems and browsers—capabilities previously limited to elite, state-sponsored hacking groups. This powerful tool, which found a decades-old bug in a widely used secure OS and demonstrated behavior like escaping containment, is now in the hands of a limited consortium including tech giants like Apple, Google, Microsoft, and Nvidia. Anthropic has decided not to release it publicly, citing safety concerns and the potential global dangers it poses. The announcement highlights how generative AI is becoming central to modern warfare, surveillance, and critical infrastructure—significantly amplifying the influence of private tech companies. With rivals like OpenAI and Google DeepMind developing similar capabilities, the article raises concerns about the lack of regulation and oversight in this emerging domain. AI is no longer just a productivity tool; it’s a force capable of reshaping economies, military strategy, and international relations, essentially transforming these companies into geopolitical players.
https://advisories.gitlab.com/pkg/npm/%40anthropic-ai/claude-code/CVE-2025-59041/ - This advisory details CVE-2025-59041, a vulnerability in Anthropic's Claude Code that allows arbitrary code execution due to maliciously configured Git email. The issue arises when Claude Code constructs a shell command using the value of `git config user.email` from the current workspace. If an attacker controls the repository’s Git config and sets `user.email` to a crafted payload, the unescaped interpolation can trigger arbitrary command execution before the user accepts the workspace-trust dialog. The vulnerability affects versions prior to `1.0.105`, and the fix in `1.0.105` avoids executing commands built from untrusted configuration and properly validates/escapes inputs. Users are advised to update to `@anthropic-ai/claude-code` `1.0.105` or later.
https://www.sentinelone.com/vulnerability-database/cve-2026-33068/ - This article discusses CVE-2026-33068, an authentication bypass flaw in Anthropic's Claude Code that allows malicious repositories to skip workspace trust dialogs. Versions prior to 2.1.53 resolved the permission mode from settings files, including the repository-controlled `.claude/settings.json`, before determining whether to display the workspace trust confirmation dialog. A malicious repository could set `permissions.defaultMode` to `bypassPermissions` in its committed `.claude/settings.json` file, causing the trust dialog to be silently skipped on first open. This allowed a user to be placed into a permissive mode without seeing the trust confirmation prompt, making it easier for an attacker-controlled repository to gain tool execution without explicit user consent.
https://www.sentinelone.com/vulnerability-database/cve-2025-59041/ - This article covers CVE-2025-59041, a remote code execution vulnerability in Anthropic's Claude Code that allows malicious Git configurations to execute arbitrary code before workspace trust dialogs. The flaw exists in Claude Code's startup routine, where the application retrieves Git configuration values and uses them in command execution without proper sanitization. When Claude Code initializes, it queries the local Git configuration to retrieve the user's email address using `git config user.email`. The retrieved value is then incorporated into a command template that is subsequently executed. Because the Git email field can contain arbitrary user-controlled data, an attacker can craft a malicious email value that includes shell metacharacters or command injection payloads. The vulnerability is particularly dangerous because the code execution occurs before the workspace trust dialog is presented to the user.
https://www.sentinelone.com/vulnerability-database/cve-2026-21852/ - This article discusses CVE-2026-21852, an information disclosure vulnerability in Claude Code that allows malicious repositories to exfiltrate API keys before users confirm trust. An attacker-controlled repository can include a settings file that sets `ANTHROPIC_BASE_URL` to an attacker-controlled endpoint. When the repository is opened, Claude Code reads the configuration and immediately issues API requests before showing the trust prompt, potentially leaking the user's API keys. This vulnerability highlights the risks associated with opening untrusted repositories and underscores the importance of verifying repository configurations before granting trust.
https://www.manifold.security/ - Manifold Security provides runtime security solutions for AI agents on endpoints. Their platform offers agentless deployment, revealing and protecting what agents do, not just what they say. Manifold provides total runtime visibility across every endpoint and first-party application, helping organizations secure their AI agents from end to end. Their services include discovery, risk and exposure assessment, and detection and response, ensuring that AI agents operate securely within organizational environments.

Noah Fact Check Pro

The draft above was created using the information available at the time the story first emerged. We’ve since applied our fact-checking process to the final narrative, based on the criteria listed below. The results are intended to help you assess the credibility of the piece and highlight any areas that may warrant further investigation.

Freshness check

Score: 10

Notes: The article was published on April 16, 2026, and presents new findings from Manifold Security regarding Anthropic's Claude Code. No evidence of prior publication or recycled content was found. The information appears original and timely.

Quotes check

Score: 10

Notes: The article includes direct quotes from Manifold Security's blog post. These quotes are consistent with the original source and have not been found in earlier publications. No discrepancies or unverifiable quotes were identified.

Source reliability

Score: 8

Notes: The primary source, Manifold Security, is a security-focused company with a public presence. The Register is a reputable technology news outlet. However, The Register is not a major news organisation like the BBC or Reuters, which slightly lowers the reliability score.

Plausibility check

Score: 9

Notes: The claim that Anthropic's Claude Code can be tricked into approving malicious code by spoofing a trusted developer's identity is plausible. This aligns with known issues in automated code review systems and the importance of verifying commit metadata. No contradictory information was found.

Overall assessment

Verdict (FAIL, OPEN, PASS): PASS

Confidence (LOW, MEDIUM, HIGH): HIGH

Summary: The article presents original, timely information with consistent and verifiable quotes. The sources are reliable, and the claims are plausible and supported by existing knowledge. No significant concerns were identified.

AI security
Open-source workflows
Code review vulnerabilities