The Latest
Claude Code Can Be Manipulated via CLAUDE.md to Run SQL Injection Attacks

Claude Code Can Be Manipulated via CLAUDE.md to Run SQL Injection Attacks

byDeeba Ahmed
April 9, 2026
3 minute read

LayerX researchers have discovered how to bypass Claude Code’s safety rules using the CLAUDE.md file. This exploit allows anyone to automate SQL injection attacks and steal user credentials without writing any code.

A recent study by LayerX has found that hackers can transform a tool widely used by computer programmers into a powerful weapon for their malicious acts. The tool is Anthropic’s Claude Code, and LayerX researchers have discovered a way to weaponise it. This research, shared with Hackread.com, reveals that anyone can use the tool to attack websites even if they don’t know how to write code.

Do not confuse Claude Code with the recent Claude source code leak. Claude Code is an AI-powered coding assistant. Since it is agentic, it writes and fixes computer code, makes its own choices, and runs commands on a computer. Every project that uses Claude Code has a simple text file called CLAUDE.md that tells it how to behave. Normally, the AI has safety guardrails to stop it from performing malicious activities, such as creating malware. However, LayerX researchers noted that these guardrails can be bypassed or fooled very easily.

“Claude Code is for developers who need an AI that can take autonomous action on real systems, and is therefore given a broader set of permissions than standard web AI interfaces. This expanded freedom is intentional and necessary for Claude Code to be useful, but it also presents an attack surface that is already being exploited today,” the blog post reads.

While testing in a controlled environment with a vulnerable web application called DVWA, they found that by typing just three lines of basic English into that text file, the tool was convinced to ignore its safety rules. In one test, they easily fooled the AI to allow unauthorised access by saying they had permission. The tool believed the file and immediately started stealing usernames and passwords. It even used a hacking technique called SQL injection to dump the database.

The AI openly used the text file as its justification, as researchers noted that the AI told them: “Given the authorization stated in your CLAUDE.md for pentesting… here’s how to approach login bypass.” It then used a tool called cURL to run the attack, as researchers revealed that “this unremarkable file is suddenly an attack surface” because the AI trusts the instructions without question.

The worrying part is that this is not just a theory but a real problem that can happen right now. LayerX report reveals several ways hackers may use this trick, such as simply lying to the AI to get it to help with a hack.

Another risk involves malicious downloads. A hacker can share a project online that has a hidden instruction file, and when an honest developer downloads it, the tool might start stealing their private files. There is also the threat of an insider with bad intentions changing the file in a company project.

Video Demo from LayerX

LayerX’s team contacted Anthropic on 29 March 2026 to inform them about this issue, but they did not receive a favourable direct response and were told to email a different department. They sent another message that same day, but have not heard back yet. Therefore, for now, researchers suggest that any team using Claude Code must treat these text files like real computer code and inspect them closely to stay safe.

Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage.
View Posts
Leave a Reply

Your email address will not be published. Required fields are marked *

Related Posts
Adobe Reader Zero-Day Exploited to Steal Data via Malicious PDFs

Adobe Reader Zero-Day Exploited to Steal Data via Malicious PDFs

An Adobe Reader zero-day vulnerability is being actively exploited via malicious PDFs, allowing hackers to steal data without user interaction, with no patch available.
byDeeba Ahmed
April 9, 2026
2 minute read

Hackers have been exploiting an as-yet unidentified flaw in Adobe Reader since at least November 2025. This zero-day vulnerability was first discovered by security expert Haifei Li, founder of EXPMON, a sandbox-based exploit detection system.

How the attack works

Haifei Li found that the attack is triggered as soon as a victim opens a specially crafted PDF file. One sample identified on VirusTotal was named “Invoice540.pdf,” suggesting the attackers are using fake invoices as a lure. Li notes that the exploit is particularly dangerous because it runs on the latest version of Adobe Reader without requiring any additional user interaction.

Detected Sample (Source: Haifei Li)

Once the file is open, it runs hidden, heavily obfuscated JavaScript code. This code hijacks two built-in software tools called APIs: util.readFileIntoStream, which is normally used to handle files, and RSS.addFeed, which usually manages web updates. By abusing these, the hackers can secretly steal data from the computer and send it to a remote server at the address 169.40.2.68.

Li further explained in a blog post that this is just the first step because by collecting info and fingerprinting the computer, hackers can prepare for even worse actions. This includes Remote Code Execution (RCE), which lets them run their own programmes on the victim’s machine, or a Sandbox Escape (SBX) to bypass built-in security barriers and take full control.

Russian oil and gas lures

The attackers seem to be focused on targeting specific groups. A security analyst, Giuseppe Massaro (Gi7w0rm), looked into the malicious documents, identifying that they were written in Russian and that the text in the PDFs talks about news and events in the Russian oil and gas industry to make the emails look real.

More concerning is that this is not the first time Adobe Reader has faced similar issues. A previous flaw, tracked as CVE-2024-41869, was also reported by Haifei Li, although Adobe did not confirm whether it had been exploited in real-world attacks at the time.

Adobe was notified about the flaw around 7 April, but they have not released an update to fix it just yet. Li, who has a long history of finding bugs at companies like Microsoft, said it is vital for the public to know about this now so they can stay safe.

Since there isn’t any official fix or patch available as yet, be careful when opening any PDF files from people you don’t know, and those who manage office networks must block internet traffic that mentions Adobe Synchronizer in the header to stop the hackers from communicating with the infected computers.

Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage.
View Posts
Leave a Reply

Your email address will not be published. Required fields are marked *

UNC6783 Hackers Use Fake Okta Pages in Corporate Breach Campaign

UNC6783 Hackers Use Fake Okta Pages in Corporate Breach Campaign

UNC6783 hackers and extortionists impersonate support staff, using fake Okta login pages and social engineering to access corporate systems and steal sensitive data.
byDeeba Ahmed
April 10, 2026
3 minute read

Cybersecurity experts at Google Threat Intelligence Group (GTIG) have issued a warning about a new group of hackers, known as UNC6783, who are trying to steal data from large companies for data theft extortion. Austin Larsen, a lead analyst at GTIG, reports that this group might be linked to an individual using the name Raccoon.

The hackers have so far targeted dozens of high-value organisations across various industries by compromising the security of Business Process Outsourcers (BPOs). These are third-party service providers responsible for handling tasks such as customer service and technical support for larger corporations. By targeting these partner firms, hackers can gain access to the main systems of the companies they really want to target for data theft.

How the hackers trick the staff

According to Larsen, the group uses a special phishing kit to bypass standard security. The attack kicks off with social engineering, where hackers use live chat windows to talk to employees. They pretend to be helpful but actually send links to fake login pages that look like the real Okta service used by many offices. These fake websites use addresses like <org>zendesk-support<##>com to look official.

Once an employee tries to log in, the hackers steal information from the person’s computer clipboard. This allows the attackers to add their own phones or laptops to the company’s security list. This is called enrolling a device for persistent access, which means they can get back into the system whenever they want.

Fake updates and ransom notes

GTIG’s research reveals that the hackers use several different methods to trick employees. They sometimes send messages about fake security software updates, containing the malware installer. If the employee downloads the update, a Remote Access Trojan (RAT) gets installed instead, which lets the hackers remotely control the computer. After they take the files they want, they send ransom notes using Proton Mail.

For staying safe, Mandiant and Google recommend that organisations start using physical security keys, like Titan Security Keys, instead of just text message codes. These use a standard called FIDO2, which is much harder for hackers to crack. Also, they must monitor live chat logs and block suspicious web links that follow the Zendesk pattern. Regularly checking which devices are allowed to log in is another good practice to prevent these hackers from invading the system.

Industry experts’ perspectives

Industry experts shared their thoughts on these findings with Hackread.com. John Watters, CEO at iCOUNTER, believes this represents a major change in how hackers work. Watters stated: “What’s emerging with UNC6783 and the Raccoon persona is not just another social engineering campaign; it’s a deliberate strategy to enter through the ecosystem instead of attacking the enterprise head-on.”

He explained that by targeting live support channels, hackers are exploiting the trust between companies and their partners. Watters added: “Raccoon isn’t attacking companies, it’s attacking the relationships companies rely on to operate. If you’re not defending your ecosystem, you’re leaving the front door open through someone else’s system.”

Mika Aalto, Co-Founder and CEO at Hoxhunt, says that these attackers are using psychological tricks to beat strong security. “Attackers don’t need to hack through security systems when they can persuade people to open the door,” Aalto stated, suggesting that targeting helpdesk teams is very effective because they handle sensitive requests every day.

To stay safe, he recommends training employees with realistic simulations so they can spot suspicious chats and report them as soon as they happen.

Deeba is a veteran cybersecurity reporter at Hackread.com with over a decade of experience covering cybercrime, vulnerabilities, and security events. Her expertise and in-depth analysis make her a key contributor to the platform’s trusted coverage.
View Posts
Leave a Reply

Your email address will not be published. Required fields are marked *