What happened
Claude Code versions 2.1.38 through 2.1.162 allowed creation of git worktrees named '.git' and navigation to worktrees outside the sandbox context, enabling git directory confusion attacks. A malicious repository can combine prompt injection in CLAUDE.md with attacker-controlled git configuration so that worktree operations trigger core.fsmonitor command execution, follow symlinks into the user's home directory, and overwrite shell startup files such as ~/.zshenv. Because zsh sources those files before macOS seatbelt restrictions apply to Bash tool payloads, attacker code runs outside the sandbox even when sandbox mode is fully enabled. The fix rejects '.git' as a valid worktree name.
Why it matters
This is a prompt-injection-to-sandbox-escape chain: a developer who clones a malicious repo and runs Claude Code against it can have their host system fully compromised. The attack bypasses both read-only permission mode and the full macOS seatbelt sandbox, giving an attacker persistent shell-startup-file control on the developer's machine. Claude Code is deployed across thousands of enterprise developer workstations, making this a high-blast-radius supply-chain risk.
Attack vector
Attacker plants a malicious CLAUDE.md (prompt injection) and crafted git config in a repository; when the developer runs Claude Code against it, worktree operations trigger core.fsmonitor execution, symlink traversal into the home directory, and overwrite of ~/.zshenv, executing code outside the sandbox.
Affected systems
@anthropic-ai/claude-code 2.1.38 – 2.1.162
Mitigation
Upgrade to @anthropic-ai/claude-code ≥ 2.1.163. Auto-update users received the fix automatically. Advisory: https://github.com/anthropics/claude-code/security/advisories/GHSA-7835-87q9-rgvv