Security: Claude Code exposed .env with private key via http.server, resulting in $1,324 theft
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Incident Summary
On March 12, 2026 at ~18:00 UTC, Claude Code (VSCode extension, CLAUDE_AGENT_SDK_VERSION=0.2.74) autonomously executed the following command on my server:
cd /root/polymarket && python3 -m http.server 8888 &
This command exposed the entire /root/polymarket directory — including a .env file containing my wallet's private key — to the public internet. Within hours, an automated bot scanned the open port, downloaded the .env file, and stole all funds.
---
Environment
- Extension: Claude Code (VSCode)
CLAUDE_AGENT_SDK_VERSION=0.2.74CLAUDE_CODE_ENTRYPOINT=claude-vscodeCLAUDECODE=1- Server IP: 5.129.238.58
- Date of incident: March 12, 2026
Proof that Claude Code executed the command
The parent process of python3 -m http.server 8888 had the following environment variables:
CLAUDECODE=1CLAUDE_CODE_ENTRYPOINT=claude-vscodeCLAUDE_AGENT_SDK_VERSION=0.2.74
Shell snapshot file timestamp confirms launch time: 2026-03-12 18:00:00 UTC.
---
Affected Wallets
- EOA wallet:
0x2D91Ef3Bc21dECe6f6Ec8B851356EF99F38BB7A5 - Polymarket Safe proxy:
0x0608a5751d9a5F63F0aB137393d25CA56c6711AB
---
Theft Transactions (March 13, 2026 — Polygon network)
Primary theft — $1,113
1,113.01 USDC.e withdrawn from Polymarket Safe via Relay bridge. Attacker called execTransaction signed with the stolen private key.
- TX: https://polygonscan.com/tx/0xe67235ec592dbacc31b6a00010eca1455dc1389ceeedde121549acfca755fbee
- Attacker executor:
0x714d785Af4290fae6CF8c6bF2BE6B4aF946f4d5F
Additional thefts — $211
- 209.83 USDC →
0xac65284d38966b352d8e6bb44b74e92a923be19c
TX: https://polygonscan.com/tx/0x4693250cc92aa5ba7dcd5f25efdbde6ab19d4d69295c9c15896410488e3a48c2
- 1.04 USDC → Binance deposit
0x4a88338661d2b94100166ebdeb51b8b7386cd255
TX: https://polygonscan.com/tx/0x4946c2a03878fc2477bb89e6a3b033cd8349021b088520ae774a49a13f133de3
- 0.398 POL → Binance deposit
0x4a88338661d2b94100166ebdeb51b8b7386cd255
TX: https://polygonscan.com/tx/0x82f09196a114ad07ee533747f0203c597b2b43f689202ad17ee03bee4c1b606f
Total stolen: ~$1,324 USD
---
Attacker Addresses
- Executor:
0x714d785Af4290fae6CF8c6bF2BE6B4aF946f4d5F - Intermediate wallet:
0xac65284d38966b352d8e6bb44b74e92a923be19c - Binance deposit:
0x4a88338661d2b94100166ebdeb51b8b7386cd255 - Scanner IP:
68.183.16.131(s9.internetresearch.center, DigitalOcean)
---
Root Cause / Bug
Claude Code should never execute python3 -m http.server (or any equivalent command that exposes the local filesystem to the internet) without:
- An explicit, prominent security warning clearly stating that this will expose files publicly
- Explicit user confirmation before execution
The .env file in the exposed directory contained a private key. The behavior of serving a directory publicly is inherently dangerous and must require user consent.
---
Request
- Acknowledge this as a security vulnerability / unsafe behavior in Claude Code
- Investigate whether similar incidents have affected other users
- Compensate the ~$1,324 USD financial loss caused directly by the agent's autonomous action
Contact: Andrei — dykalis91@gmail.com
What Should Happen?
Claude Code should either refuse to run python3 -m http.server (or any command that exposes the filesystem publicly), OR display a clear security warning and require explicit user confirmation before executing it. Under no circumstances should the agent silently expose private files to the internet.
Error Messages/Logs
Theft TX hashes (Polygon):
1. 0x4693250cc92aa5ba7dcd5f25efdbde6ab19d4d69295c9c15896410488e3a48c2
2. 0x4946c2a03878fc2477bb89e6a3b033cd8349021b088520ae774a49a13f133de3
3. 0x82f09196a114ad07ee533747f0203c597b2b43f689202ad17ee03bee4c1b606f
Attacker IP: 68.183.16.131
Victim wallet: 0x2D91Ef3Bc21dECe6f6Ec8B851356EF99F38BB7A5
Server: 5.129.238.58
Command run by agent: cd /root/polymarket && python3 -m http.server 8888 &
Steps to Reproduce
This is not a reproducible code bug — this is a security incident caused by the agent autonomously running python3 -m http.server.
Steps that led to the incident:
- User was working with Claude Code (VSCode extension) on a project in
/root/polymarket - Claude Code autonomously executed:
cd /root/polymarket && python3 -m http.server 8888 & - This exposed all files in the directory (including
.envwith private key) to the public internet on port 8888 - Within hours, bot scanner at 68.183.16.131 downloaded the
.envfile - Attacker extracted private key and drained the wallet on Polygon network (13 March 2026)
Claude Model
None
Is this a regression?
I don't know
Last Working Version
_No response_
Claude Code Version
CLAUDE_AGENT_SDK_VERSION=0.2.74 (VSCode extension)
Platform
Other
Operating System
Other Linux
Terminal/Shell
VS Code integrated terminal
Additional Information
_No response_
This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗