TL;DR

• The Claude Code source leak exposed ~40 permission-gated tools, a sub-agent spawning system, MCP integration architecture, JWT-authenticated IDE bridge, and path traversal defense implementations. This is a detailed, accurate map of the attack surface.

• The checklist below covers 11 security controls every organization running Claude Code (or any privileged AI coding assistant) should verify.

• Most of these controls apply equally to Cursor, GitHub Copilot, Continue, and other AI coding tools. Claude Code is the specific case; the checklist is general.

• For the full incident context, see Claude Code's Source Code Just Leaked. Here's What Security Teams Should Do Now.

When Anthropic's Claude Code source code leaked on March 31 2026 via an npm packaging error, it did not create new vulnerabilities. It removed obscurity from existing ones. Security through obscurity was never a strong control, but it was a real one: attackers who wanted to probe Claude Code's permission model, tool boundaries, or MCP integration points previously had to reverse-engineer a minified binary. Now they have 1,900 TypeScript files and a 46,000-line query engine to work from.

For security teams, the right response is not alarm. It is audit. The checklist below is drawn directly from what the leaked source revealed about Claude Code's architecture: each item identifies what the source exposed, what your team should verify, and what remediation looks like.

Most of these items apply beyond Claude Code. If your organization runs Cursor, GitHub Copilot, Continue, or any AI coding assistant with bash or file system access, the same controls apply.

1. Inventory every AI coding assistant deployment

What the leak revealed: Claude Code is installed per-developer, not provisioned centrally. The binary, configuration files (.claude.json, .mcp.json), and tool permissions exist on individual developer machines. There is no central registry.

What to check: Do you know every developer machine in your organization that has Claude Code (or another AI coding assistant) installed? Do you know which version each is running? Is there a record of when each was installed and by whom?

How to verify: Query your endpoint management platform (Jamf, Intune, CrowdStrike Falcon, SentinelOne) for the claude binary, the @anthropic-ai/claude-code npm package, and the .claude.json configuration file. Cross-reference against your approved software list. Treat any installation not in the record as an undocumented AI deployment.

Why it matters: You cannot audit the permission model or MCP connections of an installation you do not know exists. Discovery is the prerequisite for every other item on this checklist. Repello's AI Asset Inventory automates this discovery continuously across engineering environments.

2. Audit all .mcp.json files across developer environments

What the leak revealed: The .mcp.json configuration file specifies every MCP server connection for a Claude Code installation: server names, transport types, command paths, and arguments. The full format is documented in the leaked source. MCP servers grant Claude Code tool access beyond its defaults: file systems, databases, internal APIs, external services.

What to check: For every developer machine running Claude Code, what MCP servers are configured? Which of those have been reviewed by security? Which have access to production systems, internal databases, or sensitive data stores? Are any configured MCP servers no longer needed for their original purpose but still active?

How to verify: Collect .mcp.json files from developer machines through your endpoint management platform or through a developer self-disclosure survey. For each MCP server listed, verify: what system it connects to, who configured it, when, and for what purpose. Flag any server with write access to production systems or access to sensitive data that does not have a documented security review.

Why it matters: An MCP server connection is an extension of Claude Code's trust boundary. A misconfigured or malicious MCP server can be used for prompt injection, data exfiltration, or RCE. With the full MCP integration architecture now documented, the attack surface of each MCP connection is easier to exploit. Repello's MCP Gateway provides real-time monitoring of every MCP connection and blocks malicious servers before they can execute.

3. Verify bash tool scope is bounded

What the leak revealed: The Bash tool in Claude Code executes shell commands with the permissions of the running user. The leaked source shows the tool is permission-gated, but the gating applies at the agent invocation layer, not at the OS level. The tool has no additional sandboxing: it runs as the developer.

What to check: Are developers running Claude Code as a privileged user (admin, root, or with sudo access)? Are there any production system credentials in the developer's shell environment (environment variables, shell history, .env files) that bash commands could read or exfiltrate? Are bash executions logged anywhere?

How to verify: Review developer machine configurations for privilege level. Check whether production secrets are accessible from developer environments where Claude Code runs. Enable shell command logging (auditd on Linux, BSM on macOS) for machines where Claude Code has bash access to systems beyond local development.

Why it matters: Bash is the highest-blast-radius tool in Claude Code's toolkit. An adversarial input that successfully manipulates the Bash tool can execute arbitrary commands with the developer's permissions. The leaked source documents the tool interface precisely, making it straightforward to craft targeted injection attempts.

4. Test path traversal defenses at your specific deployment

What the leak revealed: Claude Code's source explicitly handles four path traversal variants: URL-encoded traversal (../), Unicode normalization attacks, backslash injection, and case-insensitive path manipulation. The protected file list (.gitconfig, .bashrc, .zshrc, .mcp.json, .claude.json) is hardcoded.

What to check: Are there path traversal variants beyond these four that your deployment surface is vulnerable to? Are there sensitive files in your developer environments that are not on the protected list but should be? Do your file write operations validate paths against your internal data classification?

How to verify: Run adversarial testing against your Claude Code deployments specifically targeting path traversal variants including those not listed in the leaked source. Verify that your most sensitive configuration files and credential stores are not accessible through the file write tools under adversarial inputs.

Why it matters: Security teams should test the exact controls that are documented, not assume the documented controls are complete. The four variants handled in the source are the ones Anthropic's engineers specifically anticipated. Attackers reading the same source will look for the fifth variant. Repello's ARTEMIS tests path traversal and file system access boundaries systematically across the full OWASP LLM Top 10 attack surface, producing a prioritized report of what your specific deployment is vulnerable to.

5. Assess sub-agent spawning permissions

What the leak revealed: Claude Code can spawn sub-agents, each running in its own context with a specific subset of tool permissions inherited from the parent agent. The spawning mechanism, context isolation model, and permission inheritance logic are all in the leaked source.

What to check: In your Claude Code usage, are sub-agents being spawned? If so, what tool permissions are they inheriting? Is there any mechanism by which a sub-agent could request elevated permissions from the parent? Is sub-agent activity logged separately from parent agent activity?

How to verify: Review your Claude Code workflows for tasks that trigger the Agent tool (sub-agent spawning). Verify that sub-agents running in your environment have the minimum necessary tool permissions for their tasks. Check whether your logging captures sub-agent tool calls separately from parent agent calls, so you can trace the full execution chain if something unexpected happens.

Why it matters: Sub-agent spawning creates a hierarchy where the parent agent is the trust boundary. An attacker who can manipulate a sub-agent's inputs through indirect prompt injection may be able to escalate to parent-level tool access if the permission inheritance model has exploitable edge cases. The leaked source documents those edge cases for anyone who wants to look for them.

6. Audit the IDE bridge authentication

What the leak revealed: Claude Code's IDE bridge uses JWT-authenticated channels for bidirectional communication between the CLI and IDE extensions (VS Code, JetBrains). The authentication mechanism, token handling, and channel architecture are documented in the leaked source.

What to check: Are the JWT tokens used by the IDE bridge scoped appropriately? Are they short-lived or long-lived? Are there any developer machines where the IDE bridge is running but the IDE extension has not been updated to a current version? Is IDE bridge traffic logged?

How to verify: Check whether your organization enforces IDE extension version minimums. Review the token lifetime policy for IDE bridge JWTs. Verify that IDE bridge traffic is covered by your network monitoring for developer environments.

Why it matters: The IDE bridge runs persistently on developer machines when Claude Code is active. A compromised IDE extension or an exploited JWT token gives an attacker the ability to interact with Claude Code's full tool set through the legitimate IDE bridge channel. With the authentication architecture documented, this attack surface is easier to reason about.

7. Validate that sensitive credentials are not in Claude Code's working context

What the leak revealed: Claude Code's Read tool accesses files in the working directory and sub-directories. The WebFetch tool makes HTTP requests. Both can exfiltrate data if manipulated through adversarial inputs. The leaked source confirms these tools operate with the developer's full file system permissions, bounded only by the protected file list.

What to check: Are there .env files, credentials files, AWS config files, SSH keys, or API keys in directories where developers run Claude Code? Is source code submitted to Claude Code queries ever transmitted to external endpoints through the WebFetch tool under normal operation? Are there production database connection strings in any configuration files in the working directory?

How to verify: Run a credentials scan (using gitleaks or trufflehog) against developer working directories to identify any sensitive credentials that are accessible from the Claude Code execution context. Review whether your secret management practice requires credentials to be in vault systems rather than dotfiles accessible from development environments.

Why it matters: A data exfiltration attack through an AI coding assistant does not require exploiting a new vulnerability. It requires manipulating the model's existing, legitimate tools: read a credentials file, send its contents to an attacker-controlled endpoint via WebFetch. The leaked source confirms exactly which tools are available for this attack chain.

8. Review system prompt handling for your Claude Code wrappers

What the leak revealed: The leaked source includes Claude Code's internal system prompts and the mechanisms through which custom system prompt content can be injected via configuration. Organizations that have built internal wrappers, custom slash commands, or modified configurations around Claude Code have a documented interface through which adversarial system prompt content could be introduced.

What to check: Does your organization use any custom system prompt content, wrapper scripts, or modified configurations with Claude Code? If so, has that custom content been reviewed for prompt injection risks? Is there any mechanism by which externally sourced content (from tickets, code review comments, issue trackers) could reach Claude Code's system prompt?

How to verify: Review any internal tooling that interacts with Claude Code's configuration or injects content into its context. Test whether external content (from Jira tickets, GitHub issues, Slack messages, or code review comments that Claude Code is asked to process) can contain adversarial instructions that modify Claude Code's behavior.

Why it matters: Indirect prompt injection through content sources is the highest-risk attack vector for AI coding assistants used in real development workflows. A developer who asks Claude Code to "summarize this GitHub issue" and the issue contains adversarial instructions is exactly the scenario the leaked system prompt architecture enables an attacker to plan for.

9. Establish a behavioral baseline and monitor for drift

What the leak revealed: Claude Code's query engine handles all LLM API calls, streaming, caching, and orchestration in approximately 46,000 lines. Model updates, tool changes, and configuration modifications can alter behavior without any visible indicator to the developer.

What to check: Does your organization have any baseline of what normal Claude Code behavior looks like for standard development tasks? Would you detect if Claude Code started producing outputs that include unexpected external URLs, unusual file paths, or commands outside the normal pattern for your development workflow?

How to verify: Define expected behavioral patterns for your highest-risk Claude Code use cases (code review, automated testing, CI/CD integration). Implement output monitoring that flags significant deviations: unexpected external web requests, unusual file write paths, commands that reference systems outside the normal development environment.

Why it matters: Behavioral drift in an AI agent with bash and file system access is not a theoretical concern. A model update or a successful adversarial input that modifies behavior may produce a single anomalous output that executes a harmful action before anyone notices. Repello's ARGUS monitors AI agent outputs for behavioral anomalies in real time, with sub-100ms latency and adaptive guardrails calibrated from adversarial testing results.

10. Audit the persistent memory directory for poisoned context

What the leak revealed: The leaked source documents a persistent memory system: a file-based directory where Claude Code stores context about the user, their project, and their preferences across sessions. This is not wiped between sessions. It influences the model's behavior on every subsequent invocation until explicitly cleared.

What to check: Does the memory directory exist on developer machines running Claude Code? What is currently stored in it? Does any stored context look anomalous, contain instructions that were not placed there intentionally, or reference systems or actions outside the developer's normal workflow? Is there any process for periodically reviewing or flushing memory content?

How to verify: Locate the Claude Code memory directory on managed developer machines (typically a hidden directory in the user's home folder). Review the contents. Flag any entries that contain instruction-like text, references to external systems, or content that does not match the developer's self-reported project context. Establish a periodic review cadence, particularly for developers working on sensitive codebases.

Why it matters: Persistent memory transforms a single successful injection into a persistent foothold. An adversarial input that writes into the memory directory continues to influence Claude Code's behavior in every future session until removed. This is the agentic equivalent of a persistent cookie that modifies model behavior, and it is the attack surface that most coverage of the Claude Code leak has not addressed. The memory system did not exist in earlier versions of Claude Code; the leaked source confirms its implementation in the current release.

11. Apply this checklist to every AI coding assistant, not just Claude Code

What the leak revealed: Claude Code's architecture is representative of the AI coding assistant category. Bash execution, file read/write, web fetch, sub-agent spawning, and MCP connections are standard capabilities across Claude Code, Cursor, GitHub Copilot with extensions, and Continue. The leaked source makes Claude Code's specific implementation visible; the attack surface exists across the category.

What to check: Does your organization have a unified AI coding assistant policy that covers all tools in this category, or is each tool handled separately? Are Cursor, Copilot, and Continue deployments subject to the same inventory, MCP audit, and adversarial testing requirements as Claude Code?

How to verify: Run the same discovery process from item 1 above against all AI coding assistants, not just Claude Code. Treat AI coding assistants as a category of privileged agents that require security review, not as productivity tools outside the security team's remit.

Why it matters: The Claude Code leak made this conversation unavoidable. The underlying risk was present before March 31 and will be present in whatever AI coding tool your organization standardizes on next. A security program that addresses Claude Code specifically but not the category will need to be rebuilt the next time a different tool's internals become public.

Running the checklist at scale

Most of the items above require data that is not centrally available in most organizations: a current inventory of AI coding tool deployments, access to .mcp.json files across developer machines, behavioral baselines for AI coding assistant outputs. The manual approach to gathering this data is labor-intensive and produces a point-in-time result that is outdated by the next deployment.

Repello's AI Asset Inventory provides continuous automated discovery that covers items 1 and 2 of this checklist as an ongoing function rather than a one-time exercise. ARTEMIS runs adversarial testing for items 4, 5, 7, and 8, producing a prioritized finding report tied to specific attack patterns rather than theoretical vulnerabilities. ARGUS handles item 9 at the runtime layer, monitoring outputs in real time. MCP Gateway handles item 2 continuously, blocking malicious servers and enforcing connection policies without requiring developer workflow changes.

To see how these work together for an organization running AI coding assistants in production, book a demo.

Frequently asked questions

Does this checklist apply only to Claude Code?

No. The checklist uses Claude Code as the reference implementation because the leaked source provides precise documentation of the architecture, but the controls apply to any AI coding assistant with bash access, file system access, or MCP connections. Cursor, GitHub Copilot with extensions, Continue, and Codeium all have comparable attack surfaces that warrant the same audit.

Which checklist items are highest priority?

Items 2 (MCP audit) and 7 (credential exposure) are typically the highest-priority because they represent the shortest paths from a successful adversarial input to a concrete security incident. An MCP server with production database access and a developer environment containing credential files are the preconditions for the highest-severity outcomes. Items 1 (inventory) and 3 (bash scope) are prerequisites that enable everything else.

How often should this checklist be run?

The full checklist should be run as a structured audit when a new AI coding assistant is deployed, when a significant model or tool update is released, and quarterly as a baseline. Items 1 and 2 (inventory and MCP audit) should run continuously through automated tooling, since new installations and new MCP connections appear between audit cycles.

Is the leaked Claude Code source still publicly available?

The primary GitHub repository mirroring the leaked source accumulated 84,000 stars before Anthropic acted. Copies of the source are distributed broadly. For practical security planning, assume the source is available to any motivated attacker and design your controls accordingly.

What is the relationship between this checklist and the broader AI security program?

This checklist addresses AI coding assistant security specifically. It feeds into the broader AI security posture management program and the AI asset inventory that every enterprise AI security program requires. The findings from this checklist should be documented in the organization's AI Bill of Materials and reviewed as part of the regular AI red teaming cycle.

The 10 items above are a starting point, not an exhaustive audit. The leaked source will generate new research into Claude Code's specific implementation over the coming months, and new findings will warrant additions to this list. Subscribe to Repello's research blog to receive updates as new findings emerge.

To run items 1, 2, 4, 5, 7, 8, and 9 with automated tooling rather than manual effort, book a demo or visit repello.ai/product.