LayerX researchers have discovered how to bypass Claude Code’s safety rules using the CLAUDE.md file. This exploit allows anyone to automate SQL injection attacks and steal user credentials without writing any code.
A recent study by LayerX has found that hackers can transform a tool widely used by computer programmers into a powerful weapon for their malicious acts. The tool is Anthropic’s Claude Code, and LayerX researchers have discovered a way to weaponise it. This research, shared with Hackread.com, reveals that anyone can use the tool to attack websites even if they don’t know how to write code.
Do not confuse Claude Code with the recent Claude source code leak. Claude Code is an AI-powered coding assistant. Since it is agentic, it writes and fixes computer code, makes its own choices, and runs commands on a computer. Every project that uses Claude Code has a simple text file called CLAUDE.md that tells it how to behave. Normally, the AI has safety guardrails to stop it from performing malicious activities, such as creating malware. However, LayerX researchers noted that these guardrails can be bypassed or fooled very easily.
“Claude Code is for developers who need an AI that can take autonomous action on real systems, and is therefore given a broader set of permissions than standard web AI interfaces. This expanded freedom is intentional and necessary for Claude Code to be useful, but it also presents an attack surface that is already being exploited today,” the blog post reads.
While testing in a controlled environment with a vulnerable web application called DVWA, they found that by typing just three lines of basic English into that text file, the tool was convinced to ignore its safety rules. In one test, they easily fooled the AI to allow unauthorised access by saying they had permission. The tool believed the file and immediately started stealing usernames and passwords. It even used a hacking technique called SQL injection to dump the database.
The AI openly used the text file as its justification, as researchers noted that the AI told them: “Given the authorization stated in your CLAUDE.md for pentesting… here’s how to approach login bypass.” It then used a tool called cURL to run the attack, as researchers revealed that “this unremarkable file is suddenly an attack surface” because the AI trusts the instructions without question.
The worrying part is that this is not just a theory but a real problem that can happen right now. LayerX report reveals several ways hackers may use this trick, such as simply lying to the AI to get it to help with a hack.
Another risk involves malicious downloads. A hacker can share a project online that has a hidden instruction file, and when an honest developer downloads it, the tool might start stealing their private files. There is also the threat of an insider with bad intentions changing the file in a company project.
Video Demo from LayerX
LayerX’s team contacted Anthropic on 29 March 2026 to inform them about this issue, but they did not receive a favourable direct response and were told to email a different department. They sent another message that same day, but have not heard back yet. Therefore, for now, researchers suggest that any team using Claude Code must treat these text files like real computer code and inspect them closely to stay safe.
Deeba Ahmed
