Security: Claude Code exposed .env with private key via http.server, resulting in $1,324 theft

Resolved 💬 5 comments Opened Mar 13, 2026 by dykalis91 Closed Apr 16, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

Incident Summary

On March 12, 2026 at ~18:00 UTC, Claude Code (VSCode extension, CLAUDE_AGENT_SDK_VERSION=0.2.74) autonomously executed the following command on my server:

cd /root/polymarket && python3 -m http.server 8888 &

This command exposed the entire /root/polymarket directory — including a .env file containing my wallet's private key — to the public internet. Within hours, an automated bot scanned the open port, downloaded the .env file, and stole all funds.

---

Environment

  • Extension: Claude Code (VSCode)
  • CLAUDE_AGENT_SDK_VERSION=0.2.74
  • CLAUDE_CODE_ENTRYPOINT=claude-vscode
  • CLAUDECODE=1
  • Server IP: 5.129.238.58
  • Date of incident: March 12, 2026

Proof that Claude Code executed the command

The parent process of python3 -m http.server 8888 had the following environment variables:

  • CLAUDECODE=1
  • CLAUDE_CODE_ENTRYPOINT=claude-vscode
  • CLAUDE_AGENT_SDK_VERSION=0.2.74

Shell snapshot file timestamp confirms launch time: 2026-03-12 18:00:00 UTC.

---

Affected Wallets

  • EOA wallet: 0x2D91Ef3Bc21dECe6f6Ec8B851356EF99F38BB7A5
  • Polymarket Safe proxy: 0x0608a5751d9a5F63F0aB137393d25CA56c6711AB

---

Theft Transactions (March 13, 2026 — Polygon network)

Primary theft — $1,113

1,113.01 USDC.e withdrawn from Polymarket Safe via Relay bridge. Attacker called execTransaction signed with the stolen private key.

Additional thefts — $211

  1. 209.83 USDC0xac65284d38966b352d8e6bb44b74e92a923be19c

TX: https://polygonscan.com/tx/0x4693250cc92aa5ba7dcd5f25efdbde6ab19d4d69295c9c15896410488e3a48c2

  1. 1.04 USDC → Binance deposit 0x4a88338661d2b94100166ebdeb51b8b7386cd255

TX: https://polygonscan.com/tx/0x4946c2a03878fc2477bb89e6a3b033cd8349021b088520ae774a49a13f133de3

  1. 0.398 POL → Binance deposit 0x4a88338661d2b94100166ebdeb51b8b7386cd255

TX: https://polygonscan.com/tx/0x82f09196a114ad07ee533747f0203c597b2b43f689202ad17ee03bee4c1b606f

Total stolen: ~$1,324 USD

---

Attacker Addresses

  • Executor: 0x714d785Af4290fae6CF8c6bF2BE6B4aF946f4d5F
  • Intermediate wallet: 0xac65284d38966b352d8e6bb44b74e92a923be19c
  • Binance deposit: 0x4a88338661d2b94100166ebdeb51b8b7386cd255
  • Scanner IP: 68.183.16.131 (s9.internetresearch.center, DigitalOcean)

---

Root Cause / Bug

Claude Code should never execute python3 -m http.server (or any equivalent command that exposes the local filesystem to the internet) without:

  1. An explicit, prominent security warning clearly stating that this will expose files publicly
  2. Explicit user confirmation before execution

The .env file in the exposed directory contained a private key. The behavior of serving a directory publicly is inherently dangerous and must require user consent.

---

Request

  1. Acknowledge this as a security vulnerability / unsafe behavior in Claude Code
  2. Investigate whether similar incidents have affected other users
  3. Compensate the ~$1,324 USD financial loss caused directly by the agent's autonomous action

Contact: Andrei — dykalis91@gmail.com

What Should Happen?

Claude Code should either refuse to run python3 -m http.server (or any command that exposes the filesystem publicly), OR display a clear security warning and require explicit user confirmation before executing it. Under no circumstances should the agent silently expose private files to the internet.

Error Messages/Logs

Theft TX hashes (Polygon):
1. 0x4693250cc92aa5ba7dcd5f25efdbde6ab19d4d69295c9c15896410488e3a48c2
2. 0x4946c2a03878fc2477bb89e6a3b033cd8349021b088520ae774a49a13f133de3
3. 0x82f09196a114ad07ee533747f0203c597b2b43f689202ad17ee03bee4c1b606f

Attacker IP: 68.183.16.131
Victim wallet: 0x2D91Ef3Bc21dECe6f6Ec8B851356EF99F38BB7A5
Server: 5.129.238.58
Command run by agent: cd /root/polymarket && python3 -m http.server 8888 &

Steps to Reproduce

This is not a reproducible code bug — this is a security incident caused by the agent autonomously running python3 -m http.server.

Steps that led to the incident:

  1. User was working with Claude Code (VSCode extension) on a project in /root/polymarket
  2. Claude Code autonomously executed: cd /root/polymarket && python3 -m http.server 8888 &
  3. This exposed all files in the directory (including .env with private key) to the public internet on port 8888
  4. Within hours, bot scanner at 68.183.16.131 downloaded the .env file
  5. Attacker extracted private key and drained the wallet on Polygon network (13 March 2026)

Claude Model

None

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

CLAUDE_AGENT_SDK_VERSION=0.2.74 (VSCode extension)

Platform

Other

Operating System

Other Linux

Terminal/Shell

VS Code integrated terminal

Additional Information

_No response_

View original on GitHub ↗

This issue has 5 comments on GitHub. Read the full discussion on GitHub ↗