What happened
Claude Code pre-approved huggingface.co as a trusted bare hostname for its WebFetch tool, meaning any path under that domain — including attacker-controlled model repositories — was auto-fetched without a permission prompt or content policy check. An attacker who can publish or modify a HuggingFace repository can embed prompt injection instructions that Claude Code will silently execute in the developer's agent session.
Why it matters
HuggingFace is the primary hub for AI model distribution, with millions of public repositories. Developers routinely direct Claude Code to fetch model cards and documentation from HuggingFace. This trust misconfiguration turns every public HuggingFace repo into a potential prompt injection vector against Claude Code users — a supply-chain-style attack on the AI coding agent itself.
Attack vector
Attacker publishes a malicious HuggingFace model repository containing prompt injection payloads in model cards or README files; Claude Code auto-approves any fetch to huggingface.co without a permission prompt, so injected content is silently consumed and can redirect agent actions
Affected systems
Anthropic Claude Code 0.2.54 – 2.1.162
Mitigation
Upgrade to Claude Code 2.1.163 or later. Advisory: https://github.com/anthropics/claude-code/security/advisories/GHSA-fg94-h982-f3mm