Skip to content

Add hook hijacking detection for Claude Code (CVE-2025-59536)#64

Merged
debu-sinha merged 4 commits into
mainfrom
feature/hook-hijacking
Apr 1, 2026
Merged

Add hook hijacking detection for Claude Code (CVE-2025-59536)#64
debu-sinha merged 4 commits into
mainfrom
feature/hook-hijacking

Conversation

@debu-sinha
Copy link
Copy Markdown
Owner

@debu-sinha debu-sinha commented Mar 31, 2026

Closes #56

What changed

Added hook hijacking detection to the installation scanner. Detects malicious hooks in .claude/settings.json, .claude/settings.local.json, and .claude/hooks/ directory.

New checks

  • CHK-001: Project-level security overrides (bypassPermissions, dangerouslyDisableSandbox, autoApprove)
  • CHK-002: Unrestricted Bash wildcard permissions in project settings
  • CHK-003: Hooks with network exfiltration commands (curl, wget, nc, requests)
  • CHK-004: Hooks reading sensitive files or environment variables
  • CHK-005: Hooks modifying security configuration (CVE-2025-53773 pattern)

OWASP mapping

  • ASI01 (Goal Hijack): hooks executing attacker commands
  • ASI02 (Excessive Agency): unrestricted Bash permissions
  • ASI05 (Privilege Compromise): credential access from hooks
  • ASI06 (Memory Manipulation): security config tampering

Testing

Tested against a malicious fixture with:

  • PreToolUse hook with curl + SSH key exfiltration
  • PostToolUse hook with nc + env var exfiltration
  • Hook script with curl + SSH key theft
  • bypassPermissions override in project settings
  • Bash(*) wildcard permission

Result: 4 CRITICAL + 4 HIGH findings detected. Security grade F (12/100).

@debu-sinha
Add hook hijacking detection for Claude Code (CVE-2025-59536)
5988399 
Detect malicious hooks in .claude/settings.json and .claude/hooks/
that execute network commands, read sensitive files, or tamper with
security settings. Checks for project-level security overrides
(bypassPermissions, autoApprove) and unrestricted Bash permissions.

5 new checks: CHK-001 through CHK-005.
Maps to OWASP ASI01 (Hijack), ASI02 (Agency), ASI05 (Secrets), ASI06 (Memory).

Signed-off-by: debu-sinha <debusinha2009@gmail.com>
github-advanced-security[bot]
github-advanced-security AI found potential problems Mar 31, 2026
View reviewed changes
Comment thread src/agentsec/scanners/installation.py
),
)
)
except (json.JSONDecodeError, OSError):

Check notice

Code scanning / CodeQL

Empty except Note

'except' clause does nothing but pass and there is no explanatory comment.

Copilot Autofix

AI 2 months ago

In general, an empty except should either (a) handle the error in a meaningful way (e.g., logging, fallback behavior, metrics) or (b) narrow the caught exception and re-raise if it cannot be safely ignored. Here, the scanner should not crash if a single settings file is unreadable, but it also should not fail silently.

Best minimal fix without changing existing functionality: keep the behavior of “no findings if the file is unreadable/unparsable”, but add a log entry inside the except block explaining that the project settings at project_settings could not be processed and why. We already have a logger defined at the top of the file, so we can reuse it without new imports. We should log at warning (or possibly debug); given this is an unexpected I/O/JSON failure on a security config, warning is reasonable and visible but not fatal.

Concretely, in src/agentsec/scanners/installation.py, in the _scan_hook_hijacking method region around lines 2156–2216, replace:

            except (json.JSONDecodeError, OSError):
                pass

with something like:

            except (json.JSONDecodeError, OSError) as exc:
                logger.warning(
                    "Failed to read or parse project settings at %s: %s",
                    project_settings,
                    exc,
                )

This maintains flow (no exception is propagated) but removes the empty except and improves diagnosability.

Suggested changeset 1
src/agentsec/scanners/installation.py

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/src/agentsec/scanners/installation.py b/src/agentsec/scanners/installation.py
--- a/src/agentsec/scanners/installation.py
+++ b/src/agentsec/scanners/installation.py
@@ -2212,8 +2212,12 @@
                             ),
                         )
                     )
-            except (json.JSONDecodeError, OSError):
-                pass
+            except (json.JSONDecodeError, OSError) as exc:
+                logger.warning(
+                    "Failed to read or parse project settings at %s: %s",
+                    project_settings,
+                    exc,
+                )
 
         return findings
 
EOF
@@ -2212,8 +2212,12 @@
),
)
)
except (json.JSONDecodeError, OSError):
pass
except (json.JSONDecodeError, OSError) as exc:
logger.warning(
"Failed to read or parse project settings at %s: %s",
project_settings,
exc,
)

return findings

Copilot is powered by AI and may make mistakes. Always verify output.
@debu-sinha
Fix lint: shorten long lines in remediation steps
2a54ccf 
Signed-off-by: debu-sinha <debusinha2009@gmail.com>
@debu-sinha
Format verifier.py (pre-existing lint issue)
33b870a 
Signed-off-by: debu-sinha <debusinha2009@gmail.com>
@debu-sinha
Fix pre-existing mypy errors in verifier, baseline, policy, cli
da166e8 
Signed-off-by: debu-sinha <debusinha2009@gmail.com>
@debu-sinha debu-sinha merged commit 7d4c89a into main Apr 1, 2026
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Hook hijacking detection for Claude Code and OpenClaw

2 participants

@debu-sinha @github-advanced-security