What happened
In Claude Code 0.2.54 through 2.1.162, the hostname huggingface.co was globally pre-approved for the WebFetch tool as a bare hostname, meaning any path on that domain — including attacker-controlled model repositories — was auto-approved without a permission prompt or --allowedTools restriction. An attacker who can inject content into a Claude Code context (e.g. via prompt injection in a code file or repo) can direct Claude Code to fetch attacker-controlled HuggingFace repo files, creating a covert out-of-band channel to exfiltrate files, environment variables, and command output. CVSS 6.0 Medium confirmed via GitLab advisory database.
Why it matters
This is a novel prompt-injection-to-exfiltration chain specific to AI coding agents: injected content in any file Claude Code reads can silently exfiltrate secrets to an attacker's HuggingFace repo (tracked as download events server-side). No user interaction is required beyond Claude Code reading a compromised file in the working directory.
Attack vector
Inject prompt-injection payload into any file Claude Code will read (e.g. source file, README, config); payload directs WebFetch to attacker-controlled huggingface.co path, exfiltrating environment variables or files via URL parameters counted as HuggingFace download events
Affected systems
Claude Code (npm @anthropic-ai/claude-code) 0.2.54 through 2.1.162
Mitigation
Upgrade to Claude Code 2.1.163+. Auto-updated users are already patched. Advisory: https://github.com/anthropics/claude-code/security/advisories/GHSA-fg94-h982-f3mm