If you've seen the "check your .claude/settings.json right now, Claude Code is under attack" posts going around, here's the honest version before you panic-audit your machine: there is no confirmed live attack on Claude Code users. What there is — and what's genuinely worth understanding — is a real, documented way that a poisoned repository could abuse Claude Code's hooks. The difference matters, so let me be precise about both halves.
What's real, and what's modeled
The underlying thing is real: hooks. Claude Code's .claude/settings.json can define hooks — commands that run automatically on events like SessionStart. That's a genuine feature, documented in Claude's own setup docs, and it's useful. It's also, by definition, a place where "open this project" can mean "run this command."
The attack, though, is where I have to slow down. Security firms — StepSecurity, Mend, Snyk — have published detailed write-ups this year of a supply-chain worm ("Shai-Hulud," and a "Mini Shai-Hulud" resurgence) that includes Claude Code hook persistence: malware writing itself into .claude/settings.json so it re-runs every session. I read all three. Here's the part the scary posts leave out: those write-ups read as threat-modeling exercises, not reports of an observed attack in the wild. Snyk's own piece says, plainly, that no real package versions were actually compromised at the versions described. The campaign names and threat actors are the kind you build for a scenario, not ones pulled from an incident response.
So the accurate framing isn't "researchers caught malware hijacking Claude Code." It's "researchers showed exactly how malware would hijack Claude Code, so you can recognise it." That's less dramatic and more useful. I'd rather hand you the second thing.
One number to specifically ignore: I've seen "294,000 secrets stolen" and "6,943 machines" attached to this. I can't trace those to any primary source, and they look like the broader npm-worm coverage getting welded onto the Claude Code angle. Don't repeat them.
Why the mechanism is worth your attention anyway
A modeled attack is still a real capability. The reason to care isn't that you're compromised today — it's that the hook system does exactly what the scenario describes, so a genuinely poisoned repo (they do happen) would work this way. Treating .claude/settings.json as executable config, not harmless notes, is just correct hygiene regardless of whether anyone's weaponised it yet.
This is the same lesson as auto-installing packages: the danger isn't Claude Code misbehaving, it's that a file you didn't write can carry instructions your tools will run.
The habit worth building
You don't need to panic-audit. You need one cheap check when you clone or open an unfamiliar repo. From the project root:
find . -path "*/.claude/settings.json" -print
grep -R "SessionStart\|setup.mjs\|router_runtime" .claude .vscode 2>/dev/null
Then actually read what it finds — don't delete blindly. You're looking for hooks you didn't add, especially anything that runs a JavaScript file you don't recognise (setup.mjs, router_runtime.js) or fires on SessionStart. Glance at package.json for surprise preinstall/postinstall scripts while you're there.
If you find a hook running code you didn't write:
- Stop working in the project. Don't just carry on.
- Read the hook and any files it references before removing anything.
- Check git history and GitHub Actions for changes you didn't make.
- Rotate credentials that project could reach — GitHub tokens, npm tokens, cloud keys, AI API keys, database URLs.
If you're unsure whether the machine itself is affected, get help before revoking everything — remediation order can matter when persistence is involved.
The durable version
Forget the campaign names and the scary counts. The thing worth keeping:
.claude/settings.jsoncan run commands, so read it in repos you didn't write.- Keep lockfiles committed and read dependency changes before installing.
- Don't store real secrets in the repo.
- Be a little skeptical when Claude suggests adding a package.
Hooks are powerful because they can run commands. That's why they're useful, and it's why you should know what's in your settings file. No live attack required for that to be true.
The receipts
- StepSecurity, Mend, and Snyk — the Claude-Code hook-persistence write-ups. Read them as threat modeling; Snyk states no real versions were compromised.
- Claude Code setup docs — the official install and hooks reference.
- The "294K secrets / 6,943 machines / ongoing" figures are unverified — treat with suspicion.
More fixes like this, before they hit the blog