Claude Chrome Extension Flaw Enabled Zero-Click Prompt Injection via Trusted Subdomain XSS
Researchers disclosed a critical zero-click vulnerability chain in Anthropic’s Claude Chrome extension that allowed a malicious website to inject prompts into the AI assistant without any user interaction. The attack relied on the extension trusting any *.claude.ai origin and a DOM-based XSS flaw in an older Arkose Labs CAPTCHA component hosted on a-cdn.claude.ai; by loading the vulnerable component in a hidden iframe and sending a crafted postMessage, attacker-controlled JavaScript could appear to come from a trusted Claude origin and submit prompts as the victim.
Successful exploitation could have exposed more than 3 million users to account and data compromise, including theft of Gmail OAuth tokens, access to Gmail, Google Drive, and Claude chat history, and invisible actions such as sending emails on the user’s behalf. KOI Security researcher Oren Yomtov reported the issue to Anthropic in late December 2025, Anthropic patched the extension by tightening origin validation to https://claude.ai in January 2026, and Arkose Labs separately fixed the XSS issue in February 2026 after the vulnerable resource was disabled.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Researchers publicly disclose zero-click Claude extension exploit chain
Researchers publicly revealed that the chained flaws could have allowed silent prompt injection against Claude Chrome extension users, potentially exposing conversation history, Gmail and Drive data, OAuth tokens, and enabling actions such as sending emails on a victim's behalf. Reports said the issue affected a user base of more than 3 million before the fixes were applied.
Arkose Labs fixes CAPTCHA XSS on a-cdn.claude.ai
Arkose Labs patched the vulnerable CAPTCHA component, and the previously exploitable URL later returned HTTP 403. This remediation closed the XSS portion of the exploit chain used against the Claude extension.
Arkose Labs XSS flaw is separately reported
The DOM-based XSS vulnerability in the Arkose Labs CAPTCHA component hosted on a-cdn.claude.ai was separately disclosed to Arkose Labs. This second flaw was necessary for the full exploit chain because it enabled attacker-controlled JavaScript execution from a trusted Claude subdomain.
Anthropic patches Claude Chrome extension origin validation
Anthropic fixed the extension-side issue by tightening trusted origin checks from any claude.ai subdomain to exactly https://claude.ai. This patch blocked malicious websites from abusing the extension's overly broad allowlist to send trusted messages without user interaction.
KOI Security reports Claude extension vulnerability chain to Anthropic
KOI Security researcher Oren Yomtov responsibly disclosed a zero-click prompt-injection vulnerability chain affecting Anthropic's Claude Chrome extension. The issue combined an overly broad *.claude.ai trusted-origin allowlist with a DOM-based XSS flaw in an Arkose Labs CAPTCHA component hosted on a-cdn.claude.ai.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
ShadowPrompt: Zero-Click Prompt Injection Chain in Anthropic’s Claude Chrome Extension
socradar.io
Open sourceClaude Chrome Extension 0-Click Vulnerability Enables Silent Prompt Injection Attacks - Cyber Security News
cybersecuritynews.com
Open sourceClaude Extension Flaw Enabled Zero-Click XSS Prompt Injection via Any Website
thehackernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Claude Chrome Extension Flaw Let Other Browser Plugins Hijack AI Actions
Researchers at LayerX disclosed a critical flaw in Anthropic’s Claude Chrome extension that allowed **any other Chrome extension**, including ones with no declared permissions, to send hidden instructions to Claude and abuse its browser automation features. The issue reportedly stemmed from the extension trusting messages associated with the `claude.ai` origin without properly authenticating the true sender, creating a cross-extension privilege escalation path. In proof-of-concept attacks, LayerX said it used the weakness to extract files from Google Drive, read and send Gmail messages, steal code from connected private GitHub repositories, and even summarize or delete recent emails to conceal activity. Anthropic said the bug had already been identified internally and released version `1.0.70` with mitigations, including approval flows for privileged actions, but LayerX reported that the fix was incomplete and that takeover remained possible through privileged mode and side-panel initialization paths. The researchers said the flaw exposed a broader trust-boundary problem in AI browser assistants, where interface-based approvals and safety guardrails can be bypassed if extensions fail to verify message origin and execution context. Separate White House discussions about tighter oversight of advanced AI models, including Anthropic systems with offensive cyber capabilities, underscored growing concern over how powerful AI tools are secured before deployment.
May 12, 2026
'Claudy Day' Flaws in Anthropic Claude Enable Data Theft via Fake Search Ads
Researchers at **Oasis Security** disclosed an attack chain dubbed **"Claudy Day"** that combines three flaws in Anthropic’s **Claude** platform to enable covert data theft. The chain starts with attacker-controlled Google search results or fake Claude ads that abuse an **open redirect** on `claude.com`, leading victims to what appears to be a legitimate Claude page. From there, a pre-filled chat URL can carry **hidden prompt-injection instructions** embedded in HTML so the user sees benign text while Claude processes malicious commands in the background. According to the reports, the chained flaws allow attackers to silently instruct Claude to search prior conversations for sensitive information and exfiltrate it through the **Anthropic Files API**, creating an end-to-end path from victim luring to unauthorized data exposure. The issue is notable because it does not require extra tooling, integrations, or MCP servers; built-in Claude features are sufficient for exploitation. A separate report about Claude autonomously exploiting vulnerable websites is **not** the same incident, and a report on the **SideWinder** espionage campaign is unrelated.
Mar 30, 2026
Zero-Click RCE in Anthropic Claude Desktop Extensions via Malicious Google Calendar Events
Security researchers at **LayerX** disclosed a **zero-click remote code execution (RCE)** issue in *Anthropic Claude Desktop Extensions* that can be triggered by a **malicious Google Calendar event**, enabling silent system compromise without the victim needing to click or meaningfully interact. The reported weakness stems from a **trust-boundary failure** in Anthropic’s **Model Context Protocol (MCP)** design, where the agent can autonomously chain data from a low-risk source (calendar content) into higher-privilege actions, potentially turning a benign user request (e.g., “take care of it”) into arbitrary local code execution. Reporting indicates the exposure impacts **10,000+ active Claude Desktop users** and **50+ extensions** distributed via Anthropic’s extension marketplace. A key risk driver is that Claude Desktop/MCP extension components run **unsandboxed with full host OS privileges**, unlike typical browser extensions, meaning successful exploitation could allow reading arbitrary files, accessing stored credentials, and modifying system settings. One described proof-of-concept scenario involves inviting a target to a calendar event whose description embeds attacker instructions that the agent/extension chain may execute, demonstrating how routine productivity integrations can be weaponized at scale.
Mar 21, 2026