Claude Code Now Prompts Before Writing Shell Startup and Build-Tool Config Files
Claude CodeClaude Code v2.1.160 adds a confirmation prompt before writing to shell startup files such as .zshenv, .zlogin, and .bash_login, as well as to ~/.config/git/. In acceptEdits mode, Claude Code now also prompts before writing build-tool configuration files including .npmrc, .yarnrc*, bunfig.toml, .bazelrc, .pre-commit-config.yaml, and .devcontainer/ directories. These protections address a class of supply-chain attack vectors where malicious project configurations could trigger unintended command execution by writing to files that run on shell or build-tool initialization.
Sources & Mentions
5 external resources covering this update
Check Point Research: RCE and API Token Exfiltration Through Claude Code Project Files
Check Point Research
Claude Code Flaws Allow Remote Code Execution and API Key Exfiltration
Link
Claude Code Security: Top 6 Risks, Controls, and Best Practices
Checkmarx
Releases - anthropics/claude-code
GitHub
Claude Code Docs: Security
Link
A New Security Guardrail for High-Risk File Writes
Claude Code v2.1.160 introduces targeted confirmation prompts before writing to a specific category of files that carry elevated risk: shell startup files and build-tool configuration files. This change adds friction at exactly the point where an unguarded write could cause the most harm: files that execute automatically when a shell or build system initializes.
Shell Startup Files Now Require Explicit Confirmation
Starting with v2.1.160, Claude Code pauses and prompts the user before writing to any of the following shell initialization files:
.zshenvand.zlogin(Zsh).bash_login(Bash)~/.config/git/(Git global configuration)
These files are sourced automatically by the shell on every new session, which means that a write to .zshenv, for example, could introduce a command that runs silently every time a terminal opens. By requiring an explicit confirmation before these writes proceed, Claude Code gives users the opportunity to review what is being written before it can affect their environment.
Build-Tool Config Files Guarded in acceptEdits Mode
The acceptEdits permission mode allows Claude Code to apply file edits without prompting on each individual change, a useful setting for trusting Claude with iterative refactoring work. In v2.1.160, however, acceptEdits now carves out an exception for a set of build-tool configuration files that can grant code execution:
.npmrcand.yarnrc*(npm and Yarn package manager configuration)bunfig.toml(Bun package manager configuration).bazelrc(Bazel build configuration).pre-commit-config.yaml(pre-commit hooks configuration).devcontainer/directory (development container configuration)
Before any of these files are written, Claude Code will prompt even in acceptEdits mode. This reflects the fact that a malicious or mistaken write to .npmrc could redirect package installations to a malicious registry, or a change to .pre-commit-config.yaml could cause arbitrary scripts to run on every commit.
Context: Addressing a Known Attack Surface
This change arrives after security researchers at Check Point Research disclosed a series of vulnerabilities (CVE-2025-59536, CVE-2026-21852) involving Claude Code's handling of repository-controlled configuration files. Their research demonstrated how hooks and environment variables in .claude/settings.json could be used to achieve remote code execution and API key exfiltration. While those specific CVEs were patched separately, the new shell startup and build-tool file prompts represent a broader hardening of Claude Code's write-permission model around files that can cause code execution outside the project boundary.
For most users, the change is transparent: a single confirmation dialog appears if and when Claude attempts to write to one of these sensitive paths. For teams working in automated or acceptEdits environments, the carve-out ensures that even trusted-edit sessions do not silently modify files that reach outside the codebase.