Security: ~/.claude/CLAUDE.md is writable by any user-level process, enabling persistent prompt injection

Resolved 💬 4 comments Opened Jan 29, 2026 by dss99911 Closed Mar 1, 2026

Summary

The global ~/.claude/CLAUDE.md file is automatically loaded into every Claude Code session, but it resides in an unprotected directory that any process running under the user account can modify. This creates a persistent prompt injection vector.

Attack Scenario

  1. A malicious script (e.g., npm postinstall, brew formula, downloaded shell script) runs under the user account
  2. It writes or appends malicious instructions to ~/.claude/CLAUDE.md
  3. Every subsequent Claude Code session loads these instructions automatically
  4. The injected prompt could instruct Claude to exfiltrate secrets, insert backdoors, or weaken security practices

Why This Is Concerning

macOS TCC Protection Gap

On macOS, directories like ~/Documents and ~/Desktop are protected by TCC (Transparency, Consent, and Control) — apps need explicit user permission to access them. A security-conscious user may run Claude Code from these protected directories.

However, ~/.claude/ sits in the home directory root, which is not protected by TCC. This means:

  • The project CLAUDE.md in ~/Documents/project/ is protected from unauthorized access
  • But ~/.claude/CLAUDE.md is freely accessible to any process running as the user

Global Scope Amplifies Risk

Unlike a project-level CLAUDE.md that only affects one repository, ~/.claude/CLAUDE.md affects all Claude Code sessions across all projects. A single injection compromises every workspace.

Low Detectability

Users are unlikely to regularly audit ~/.claude/CLAUDE.md for unauthorized modifications. The malicious content could persist indefinitely.

Suggested Mitigations

  1. Option to disable global CLAUDE.md loading — Allow users to opt out of loading ~/.claude/CLAUDE.md or parent directory CLAUDE.md files (e.g., via a CLI flag or settings option)
  2. Integrity verification — Warn users when ~/.claude/CLAUDE.md has been modified since the last session
  3. File permission hardening — Create ~/.claude/CLAUDE.md with restrictive permissions (e.g., 600) and warn if permissions are too open
  4. Display loaded CLAUDE.md sources — Show which CLAUDE.md files are being loaded at session start, so users can verify

Environment

  • OS: macOS (with TCC protections)
  • Claude Code: latest version

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗