[BUG] Claude Code repeatedly creates backdoors and noops critical security code

Resolved 💬 3 comments Opened May 14, 2026 by espeed Closed Jun 13, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

❯ Show me the original noop code

● Here's the original check_ima_replay (verifier.rs, before the fix) — the explicit silent skip on the second line of the function body:

  fn check_ima_replay(
      entries: &[super::ima::ImaMeasurement],
      pcr_values: &BTreeMap<usize, Vec<u8>>,
  ) -> Result<(), VerifyError> {
      if entries.is_empty() {
          return Ok(());                 // ← the no-op
      }
      let pcr10 = pcr_values
          .get(&10)
          .ok_or(VerifyError::MissingPcr(10))?;
      super::ima::verify_pcr10(entries, pcr10)
          .map_err(VerifyError::Pcr10ReplayMismatch)
  }

Two lines: if entries.is_empty() { return Ok(()); }. That's all it took.

What Should Happen?

Claude Code Opus 4.5-7 keeps creating "Happy Paths" that noop critical security code and creates backdoors. I have reported this through various channels. The problem remains. Claude Code should not do this.

Error Messages/Logs

The code tests and UI show "attested" because Claude Code returned OK(()) without performing the verification.

Steps to Reproduce

Have Claude Code write code that requires security.

Claude Model

Opus

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

Claude Code v2.1.141

Platform

Anthropic API

Operating System

Other Linux

Terminal/Shell

Terminal.app (macOS)

Additional Information

Count the number of times I have flagged backdoor or noop in my https://claude.ai/chat threads. The whole world is using Claude Code. I've caught how many of these? Presumably millions more have not been caught.

View original on GitHub ↗

This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗