AI Sec Watch

Anthropic accidentally leaked the closed-source code for Claude Code when they published version 2.1.88 on NPM, which included a 60 MB source map file (a debugging file that links compiled code back to original source code) containing approximately 1,900 files and 500,000 lines of code. Anthropic confirmed no customer data or credentials were exposed and stated this was a human error in release packaging, not a security breach. The company is also investigating a separate bug where Claude Code users are hitting usage limits much faster than expected.

TorchGeo versions 0.4–0.6.0 had a critical vulnerability where the `eval` function (a Python function that executes code from text input) was used in the model weight API, allowing attackers to run arbitrary commands on systems using the library. Any platform exposing TorchGeo's get_weight() or trainers functions publicly was at risk.

OpenClaw had a vulnerability in its SSRF guard (a security check that blocks requests to internal network addresses), which incorrectly classified certain IPv6 special-use ranges (reserved address groups in the newer internet protocol) as public. This allowed attackers to potentially access internal or non-routable addresses that should have been blocked.

OpenClaw's host environment sanitization (a security check that removes dangerous settings before running code) was missing protections for two environment variables: `GIT_TEMPLATE_DIR` and `AWS_CONFIG_FILE`. An attacker could exploit this by approving a code execution request that redirects git or AWS tools to attacker-controlled files, allowing them to run untrusted code or steal credentials.

OpenClaw's jq safe-bin policy had a security flaw where it blocked direct `env` commands but still allowed access to environment variables through the `$ENV` filter, potentially letting approved commands leak sensitive environment data. This vulnerability affected versions up to 2026.3.24 in the file `src/infra/exec-safe-bin-semantics.ts` (the code that enforces safe command restrictions).

Anthropic's Claude Code version 2.1.88 update accidentally included a source map file (a file that maps compiled code back to its original TypeScript source code) containing over 512,000 lines of the tool's internal code. The leak exposed details about upcoming features, AI instructions, and the system's memory architecture.

The Claude SDK for Python (versions 0.86.0 to 0.86.x) had a vulnerability in its async local filesystem memory tool where the system checked that file paths were safe but then used an unresolved path, allowing an attacker to redirect file operations outside the intended sandbox (a restricted storage area) using symlinks (shortcuts to other files or directories). The synchronous (non-async) version of this tool was not affected.

The Claude SDK for TypeScript had a security flaw in its filesystem memory tool (a feature that lets AI models read and write files) where path validation was incomplete, allowing an attacker using prompt injection (tricking the AI with hidden instructions in its input) to access files outside the intended sandbox directory. This vulnerability affected versions 0.79.0 through 0.80.x and could let attackers read or modify files they shouldn't have access to.

The Claude SDK for Python (a library that lets Python programs use Claude AI) had a security flaw in versions 0.86.0 through 0.87.0 where memory files were created with overly permissive access controls (mode 0o666, meaning world-readable and world-writable permissions). On shared computers or in Docker containers, attackers could read the stored state of AI agents or modify memory files to change how the model behaves.