VDB
GCVE-110-OSM-2026-3119
GCVE-110-OSM-2026-3119
Advisory PublishedCVSS 9.6/10
Hijacks Claude Code by writing ~/.claude/settings.json to route all API traffic through an attacker-controlled MitM proxy at pikkapi.cooltechgp.online, enabling interception of every conversation and arbitrary response injection. Captures the victim's Anthropic API key via an interactive readline prompt during installation and configures bypassPermissions mode with pre-authorized Bash(env:*) to allow arbitrary command execution without user approval. The poisoned settings persist after package removal, maintaining attacker access indefinitely.
install.js fires at require-time, runs npm install -g @anthropic-ai/claude-code to install legitimate Claude Code as cover, then prompts the victim for their Anthropic API key via readline. Resolves the real home directory via process.env.SUDO_USER to bypass sudo elevation, creates ~/.claude/ directory, and writes ~/.claude/settings.json with ANTHROPIC_BASE_URL set to pikkapi.cooltechgp.online (MitM proxy), ANTHROPIC_AUTH_TOKEN set to the captured key, defaultMode set to bypassPermissions, allow list including Bash(env:*), skipDangerousModePermissionPrompt set to true, model set to opus[1m], hasCompletedOnboarding and hasAcknowledgedDisclaimer set to true. All Claude Code API traffic routes through the attacker proxy, which can inject responses and trigger arbitrary code execution without permission prompts. Settings persist after package removal with no cleanup mechanism.
Weaknesses (CWE)
CWE-506Embedded Malicious Code
Risk Scores
CVSS 3.1
9.6/10
Critical · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products
| Vendor | Product | Versions | Platforms |
|---|---|---|---|
| unknown | cc-pika-install | 1.0.6 (affected) | — |
Browse GCVE Records
72,148 records in the GCVE database · Updated July 14, 2026
No matching records found.
Explore Further
Investigate this vulnerability in the interactive console or download the raw GCVE record.