← All posts8 July 2026claude-codesecuritypermissions

Claude Code in auto mode will install packages without asking — here's why that matters

A new bug report says auto mode installs dependencies with no confirmation. It's unconfirmed, but it points at a real truth: permission modes are a convenience, not a security boundary.

✓ Verified against claude-code v2.1.203 on 2026-07-08

On 7 July someone filed a one-line bug report against Claude Code: in auto mode, it installs dependencies without asking. Their words — "installing stuff on a computer without asking is a huge security risk. it shouldn't matter that auto mode is enabled."

Anthropic labelled it security and permissions. It's issue #75439, it's open, and as I write this there's no maintainer response and no repro steps. So I'm not going to tell you Claude Code has a confirmed dangerous bug. What I'll tell you is why that thin little report is worth your attention anyway: it's a live example of something a lot of people get wrong about how Claude Code's permissions actually work.

What's actually going on

Claude Code has permission modes, and they're not subtle once you know their names. I checked the current binary (v2.1.203) — these are all in there:

  • Normal mode — asks before running a Bash command. This is the friction, and it's on purpose.
  • Accept-edits mode (acceptEdits) — stops asking before file edits.
  • Bypass mode (bypassPermissions / --dangerously-skip-permissions) — asks for nothing.

Here's the part people skip past: in bypass or full-auto mode, a shell command is a shell command. npm install, pip install, curl | bash — they run without a per-command prompt, because that's the entire point of the mode. The tool isn't malfunctioning when it installs a package in auto mode. It's doing exactly what "stop asking me" means.

So the bug report is really a mismatch of expectations. The user expected package installs to be special — gated even in auto mode. They aren't. And that's the thing worth internalising: permission modes are a convenience dial, not a security sandbox. Bypass mode isn't "trusted Claude." It's "no brakes."

Why a package install is the one to care about

Of everything Claude might do without asking, installing a package is the one that should make you sit up — because packages are where the actual attacks have been.

2026 has not been quiet here. There was the accidental npm publish of Claude Code's own source map back in March (Anthropic's mistake, since fixed). Then attackers used the leak to typosquat internal package names. There were stealer packages aimed specifically at Claude users, and malicious npm and PyPI packages that abused AI coding assistants' own repo access. The Hacker News, Mend, and The Register all covered these — this is documented, not rumour.

None of that was Claude Code being malware. But every one of those attacks landed the same way: a developer's machine pulled a package it shouldn't have. An agent in bypass mode that reaches for a plausible-looking package name is exactly the hand that pulls it. That's why "auto mode installed something" isn't a shrug — the install step is the supply-chain attack surface.

One thing I want to be careful about, because the scarier numbers are already circulating: I've seen claims of "294,000 secrets stolen" and "6,943 machines" and an attack that's "still ongoing." I can't verify those to any primary source, and they read like the broader Shai-Hulud npm worm getting merged with the Claude Code story. The real, sourced incidents are from roughly March to May and largely patched. Don't panic-share the big numbers. The calm version is true and bad enough.

What to actually do

  1. Know your mode. If you didn't turn on bypass or --dangerously-skip-permissions, normal mode is asking you before Bash commands — good. If you did, understand that includes installs.
  2. Don't run bypass or full-auto on untrusted repos — or on any task where Claude might reach for a new dependency. Save it for scoped work you're watching.
  3. Add a guardrail deny rule. In settings.json, permissions.deny with Bash(npm install:*) and Bash(pip install:*) makes installs require a manual step. Treat this as a guardrail, not a wall — deny-rule bypasses have been reported, so don't lean your whole safety model on it.
  4. For genuinely untrusted or long unattended runs, use a real boundary — a container or VM — and keep your API keys and tokens out of that environment. That's the only actual sandbox in this list.

What not to do

Don't reach for a CLAUDE.md rule that says "never install packages without asking." I keep seeing people patch behaviour with prose instructions, and this is the wrong layer. A permission mode you deliberately set to skip prompts will win over a politely-worded rule in a markdown file. If you want prompts, use the mode that prompts. If you want a hard block, use a deny rule or an OS boundary. Prompt instructions are for shaping how Claude works, not for enforcing what it's allowed to do.

The receipts

  • Issue #75439 — open, labelled security + permissions, filed 7 July 2026 against v2.1.203. One user report, no maintainer response yet. Watch it for an update.
  • Permission-mode names (acceptEdits, bypassPermissions, dangerouslySkipPermissions) confirmed in the v2.1.203 binary on 8 July 2026.
  • Supply-chain context reported by The Hacker News, Mend, and The Register (March–May 2026 events, largely patched). The "294K / 6,943 / ongoing" figures are unverified — treat with suspicion.

The honest headline isn't "Claude Code has a scary bug." It's "auto mode does what it says, and what it says includes installing software." Know which mode you're in before you walk away from the keyboard.

More fixes like this, before they hit the blog

Free field guide

Fix problems before you hit them

The cheat sheet covers the commands, settings, and guardrails that prevent most of what this blog debugs. Free PDF, weekly tutorials after.