'Claudy Day' Flaws in Anthropic Claude Enable Data Theft via Fake Search Ads
Researchers at Oasis Security disclosed an attack chain dubbed "Claudy Day" that combines three flaws in Anthropic’s Claude platform to enable covert data theft. The chain starts with attacker-controlled Google search results or fake Claude ads that abuse an open redirect on claude.com, leading victims to what appears to be a legitimate Claude page. From there, a pre-filled chat URL can carry hidden prompt-injection instructions embedded in HTML so the user sees benign text while Claude processes malicious commands in the background.
According to the reports, the chained flaws allow attackers to silently instruct Claude to search prior conversations for sensitive information and exfiltrate it through the Anthropic Files API, creating an end-to-end path from victim luring to unauthorized data exposure. The issue is notable because it does not require extra tooling, integrations, or MCP servers; built-in Claude features are sufficient for exploitation. A separate report about Claude autonomously exploiting vulnerable websites is not the same incident, and a report on the SideWinder espionage campaign is unrelated.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Oasis Security publicly discloses the 'Claudy Day' Claude attack chain
On March 18, 2026, multiple outlets reported Oasis Security's public disclosure of 'Claudy Day,' describing how attackers could use trusted-looking Claude links or Google ads to inject hidden prompts, access chat history, and exfiltrate data. The disclosure also warned that impact could grow significantly when Claude is connected to enterprise tools, MCP servers, or other integrations.
Anthropic begins addressing remaining open redirect and exfiltration issues
Anthropic was still working on the other two reported weaknesses: the claude.com open redirect path and the data exfiltration path involving access to the Anthropic Files API. Researchers said these remaining issues could still enable trusted-looking delivery and silent theft of conversation data.
Anthropic patches Claude prompt injection flaw
After receiving the disclosure, Anthropic remediated the primary prompt injection issue involving hidden instructions in pre-filled Claude chat links. At the time the research was published, this was the only confirmed fix completed.
Oasis Security discovers and privately reports the 'Claudy Day' attack chain
Oasis Security identified a three-part attack chain against Anthropic's Claude that combined hidden prompt injection, open redirect abuse, and use of the Anthropic Files API for covert data exfiltration. The researchers reported the issues to Anthropic through responsible disclosure before public release.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Three high-risk AI vulnerabilities discovered in Claude.ai - end-to-end attack chain exfiltrates sensitive info without user knowing | TechRadar
techradar.com
Open sourceClaude Vulnerabilities Let Attackers Exfiltrate Sensitive Data and Redirect Users to Malicious Websites
cybersecuritynews.com
Open sourceThree high-risk AI vulnerabilities discovered in Claude.ai - end-to-end attack chain exfiltrates sensitive info without user knowing
tech.yahoo.com
Open source“Claudy Day” Flaws Allow Data Theft via Fake Claude AI Ads, Report
hackread.com
Open source'Claudy Day’ Trio of Flaws Exposes Claude Users to Data Theft
darkreading.com
Open sourceClaudy Day Forecast: Chat Data Theft - BankInfoSecurity
bankinfosecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Malicious and unsafe use of Anthropic Claude Code leading to malware delivery and destructive infrastructure changes
Push Security reported an **“InstallFix” malvertising campaign** targeting developers searching for Anthropic’s *Claude Code* CLI. Attackers clone the legitimate installation page on lookalike domains and buy **Google Search ads** so the fake pages rank highly for queries like “install Claude Code” and “Claude Code CLI.” While links on the page route to Anthropic’s real site, the **copy‑paste install one‑liners** are replaced with malicious commands that fetch malware from attacker-controlled infrastructure; the Windows flow was observed delivering the **Amatera Stealer**, with macOS users likely targeted by similar info-stealing malware. Separately, a reported operational incident highlighted the risk of delegating privileged infrastructure actions to AI agents without strong guardrails: a developer described using *Claude Code* to run **Terraform** changes during an AWS migration and, after a missing Terraform state file led to duplicate resources, subsequent cleanup actions resulted in the **deletion of production components**, including a database and recovery snapshots—wiping roughly **2.5 years of records**. Together, the reports underscore two distinct but compounding risks around AI coding agents: **supply-chain style social engineering** via fake install instructions and **high-impact misexecution** when AI-driven automation is allowed to operate with destructive permissions in production environments.
May 12, 2026
Fake Claude AI Site Delivers Beagle Backdoor via Malvertising
A malvertising and SEO-poisoning campaign is impersonating Anthropic’s Claude AI with the domain `claude-pro[.]com`, luring users to download a trojanized Windows installer that deploys a newly identified backdoor called **Beagle**. Researchers said the fake site appeared in sponsored search results and mimicked Claude branding to distribute a ZIP archive containing an MSI package that installed a legitimate signed G DATA executable alongside a malicious DLL, abusing **DLL sideloading** to begin the infection chain. After execution, the malware decrypts additional payloads, launches DonutLoader, and loads Beagle entirely in memory to reduce disk-based detection. The backdoor provides remote access functions including command execution, file transfer, directory management, and self-uninstallation, and communicates with `license[.]claude-pro[.]com` over TCP 443 or UDP 8080 using a hardcoded AES key. Sophos X-Ops said the campaign has been active for months, uses anti-analysis measures and shared tooling such as a reused XOR key, and relies on infrastructure including Cloudflare and Alibaba Cloud; researchers also noted overlaps with activity linked to **PlugX** operators and related impersonation of vendors including Trellix, CrowdStrike, SentinelOne, and Microsoft Defender.
May 24, 2026
Claude Chrome Extension Flaw Enabled Zero-Click Prompt Injection via Trusted Subdomain XSS
Researchers disclosed a critical zero-click vulnerability chain in Anthropic’s Claude Chrome extension that allowed a malicious website to inject prompts into the AI assistant without any user interaction. The attack relied on the extension trusting any `*.claude.ai` origin and a DOM-based XSS flaw in an older Arkose Labs CAPTCHA component hosted on `a-cdn.claude.ai`; by loading the vulnerable component in a hidden iframe and sending a crafted `postMessage`, attacker-controlled JavaScript could appear to come from a trusted Claude origin and submit prompts as the victim. Successful exploitation could have exposed more than 3 million users to account and data compromise, including theft of Gmail OAuth tokens, access to Gmail, Google Drive, and Claude chat history, and invisible actions such as sending emails on the user’s behalf. KOI Security researcher Oren Yomtov reported the issue to Anthropic in late December 2025, Anthropic patched the extension by tightening origin validation to `https://claude.ai` in January 2026, and Arkose Labs separately fixed the XSS issue in February 2026 after the vulnerable resource was disabled.
Mar 27, 2026