Attention Claude Code Users: Important Security Update Alert!
A recent oversight has put users of Claude Code, an innovative coding tool, at risk. Imagine your front door being unlocked while you’re still deciding whether or not to let someone in — that’s the kind of vulnerability we’re dealing with here.
What Happened?
Before version 1.0.39 of Claude Code, users who had Yarn versions 2.0 or higher were vulnerable to a security risk. When executing a command (specifically, yarn --version), harmful plugins could run automatically before users had a chance to accept any risks. This is like a stranger sneaking a note into your mailbox before you check who it’s from. If exploited, this could allow unwanted actions in your coding environment without your approval.
Who Is At Risk?
The vulnerability primarily affects users of Claude Code who use Yarn 2.0 and above. Here’s a quick checklist:
- Users running Yarn versions 2.0+ (the latest versions of Yarn).
- Anyone working in untrusted directories (folders that may contain unknown or unsafe files).
- Users who have not updated to Claude Code version 1.0.39 or later.
If you are not on Yarn Classic, it’s crucial to act quickly to protect your coding projects!
How to Stay Safe
To ensure you’re not exposed to this security risk, take the following steps immediately:
-
Update to Claude Code version 1.0.39 or later.
- If you have the auto-update feature on, you should have the fix already.
- For manual updates, check the settings in your Claude Code app and download the latest version if necessary.
-
Verify Yarn version.
- Run
yarn --versionin your terminal to check which version you are using. - If it’s 2.0+, ensure you’re updated to the recommended Claude Code version.
- Run
-
Be cautious with untrusted directories.
- Only work in folders you trust to minimize risk.
Acting quickly is essential to keep your projects safe from potential threats!
A big thank you to the researcher who reported this issue — you help make our tech world safer.
