Claude Code v2.1.160 hardens config-file write safety

Anthropic's Claude Code v2.1.160 release tightens safety around a real attack surface: agent-written configuration files that can silently trigger code execution. The update adds explicit prompts before the agent writes to shell startup files such as .zshenv, .zlogin, and .bash_login, as well as git config — files that, if modified, can cause arbitrary commands to run the next time a shell or git operation starts.

The release also extends acceptEdits mode (where edits are normally auto-approved) to prompt before writing build-tool configuration files including .npmrc, .yarnrc, bunfig.toml, .bazelrc, .pre-commit-config.yaml, and devcontainer files. These are common vectors for supply-chain-style compromise because they control how dependencies are fetched and how build/commit hooks execute.

The hardening lands amid heightened awareness of AI-tooling supply-chain risk: a separate community report this week described a supply-chain attack on the codexui-android npm package that stole OpenAI Codex authentication tokens, renewing concerns about npm dependency security in AI tooling. As coding agents gain more autonomy to write and execute code, the blast radius of a misbehaving or hijacked agent grows.

The change reflects a maturing posture: rather than maximizing autonomy, Anthropic is reintroducing human-in-the-loop gates precisely where unintended writes are most dangerous. For developers running Claude Code in acceptEdits mode, the practical effect is a few extra confirmation prompts in exchange for protection against an agent silently altering files that execute on shell start or build. It's a small release but a meaningful signal that agent-safety guardrails are becoming product table stakes.