Zero-Click RCE in Anthropic Claude Desktop Extensions via Malicious Google Calendar Events
Security researchers at LayerX disclosed a zero-click remote code execution (RCE) issue in Anthropic Claude Desktop Extensions that can be triggered by a malicious Google Calendar event, enabling silent system compromise without the victim needing to click or meaningfully interact. The reported weakness stems from a trust-boundary failure in Anthropic’s Model Context Protocol (MCP) design, where the agent can autonomously chain data from a low-risk source (calendar content) into higher-privilege actions, potentially turning a benign user request (e.g., “take care of it”) into arbitrary local code execution.
Reporting indicates the exposure impacts 10,000+ active Claude Desktop users and 50+ extensions distributed via Anthropic’s extension marketplace. A key risk driver is that Claude Desktop/MCP extension components run unsandboxed with full host OS privileges, unlike typical browser extensions, meaning successful exploitation could allow reading arbitrary files, accessing stored credentials, and modifying system settings. One described proof-of-concept scenario involves inviting a target to a calendar event whose description embeds attacker instructions that the agent/extension chain may execute, demonstrating how routine productivity integrations can be weaponized at scale.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
LayerX publicly discloses proof-of-concept zero-click RCE via Google Calendar
LayerX publicly detailed a proof of concept in which a malicious Google Calendar entry could cause Claude, after a vague user request such as reviewing calendar items and 'taking care of it,' to fetch code from a remote Git repository and download, compile, or execute it without confirmation. The disclosure characterized the issue as a workflow failure in autonomous agent decision-making rather than a traditional memory-corruption bug.
Anthropic declines to fix, citing MCP threat model and user permission boundaries
Anthropic told LayerX the reported behavior would not be fixed because it aligns with MCP's intended autonomy or falls outside the company's threat model, emphasizing that MCP servers are locally installed, user-enabled, and operate within the user's permission boundary. Subsequent reporting noted Anthropic framed MCP as a local development tool and placed responsibility on users to configure extensions securely.
LayerX discloses the Claude Desktop issue to Anthropic
After identifying the vulnerability, LayerX reported its findings to Anthropic. The disclosure described how Claude could chain low-trust external content into privileged MCP tools without explicit user approval, enabling zero-click remote code execution.
LayerX discovers zero-click RCE path in Claude Desktop Extensions
LayerX identified an architectural trust-boundary flaw in Anthropic's Claude Desktop Extensions/MCP ecosystem that could let untrusted connector data, such as a malicious Google Calendar event, trigger autonomous execution of attacker-controlled code through high-privilege local tools. The researchers said the issue could affect more than 10,000 active users and over 50 extensions, and rated it CVSS 10.0.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
LayerX reports vulnerability in Claude Desktop Extensions, Anthropic declines to fix | SC Media
scworld.com
Open sourceClaude add-on turns Google Calendar into malware courier • The Register
theregister.com
Open source10K Claude Desktop Users Exposed by Zero-Click Vulnerability
techrepublic.com
Open sourceCritical 0-Click RCE Vulnerability in Claude Desktop Extensions Exposes 10,000+ Users to Remote Attacks
cybersecuritynews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Claude Chrome Extension Flaw Enabled Zero-Click Prompt Injection via Trusted Subdomain XSS
Researchers disclosed a critical zero-click vulnerability chain in Anthropic’s Claude Chrome extension that allowed a malicious website to inject prompts into the AI assistant without any user interaction. The attack relied on the extension trusting any `*.claude.ai` origin and a DOM-based XSS flaw in an older Arkose Labs CAPTCHA component hosted on `a-cdn.claude.ai`; by loading the vulnerable component in a hidden iframe and sending a crafted `postMessage`, attacker-controlled JavaScript could appear to come from a trusted Claude origin and submit prompts as the victim. Successful exploitation could have exposed more than 3 million users to account and data compromise, including theft of Gmail OAuth tokens, access to Gmail, Google Drive, and Claude chat history, and invisible actions such as sending emails on the user’s behalf. KOI Security researcher Oren Yomtov reported the issue to Anthropic in late December 2025, Anthropic patched the extension by tightening origin validation to `https://claude.ai` in January 2026, and Arkose Labs separately fixed the XSS issue in February 2026 after the vulnerable resource was disabled.
Mar 27, 2026
Critical Vulnerabilities in Anthropic Claude Code Enable RCE and API Key Theft via Malicious Repositories
**Check Point Research** disclosed multiple critical vulnerabilities in Anthropic’s *Claude Code* AI coding assistant that could allow **remote code execution** and **credential theft** when a developer clones and opens an **untrusted repository**. The reported attack path abuses repository-controlled configuration and automation features (including **Hooks**, **MCP servers**, and **environment variables**) to trigger hidden shell command execution and to exfiltrate **Anthropic API credentials**, potentially enabling a pivot from a developer workstation into broader enterprise environments where Claude-related workflows and shared resources are accessible. The issues include consent-bypass and command-execution weaknesses tracked under **CVE-2025-59536** (covering closely related flaws involving repository configuration executing commands without adequate user consent) and an API credential exposure issue tracked as **CVE-2026-21852**, which affected *Claude Code* versions prior to **2.0.65** and enabled API key theft via malicious project configurations. Anthropic has **patched** the vulnerabilities and advised users to update to the latest version, while indicating additional hardening measures are planned to reduce supply-chain risk from malicious commits and repository-level configuration abuse.
Apr 6, 2026
'Claudy Day' Flaws in Anthropic Claude Enable Data Theft via Fake Search Ads
Researchers at **Oasis Security** disclosed an attack chain dubbed **"Claudy Day"** that combines three flaws in Anthropic’s **Claude** platform to enable covert data theft. The chain starts with attacker-controlled Google search results or fake Claude ads that abuse an **open redirect** on `claude.com`, leading victims to what appears to be a legitimate Claude page. From there, a pre-filled chat URL can carry **hidden prompt-injection instructions** embedded in HTML so the user sees benign text while Claude processes malicious commands in the background. According to the reports, the chained flaws allow attackers to silently instruct Claude to search prior conversations for sensitive information and exfiltrate it through the **Anthropic Files API**, creating an end-to-end path from victim luring to unauthorized data exposure. The issue is notable because it does not require extra tooling, integrations, or MCP servers; built-in Claude features are sufficient for exploitation. A separate report about Claude autonomously exploiting vulnerable websites is **not** the same incident, and a report on the **SideWinder** espionage campaign is unrelated.
Mar 30, 2026