Claude Chrome Extension Flaw Let Other Browser Plugins Hijack AI Actions
Researchers at LayerX disclosed a critical flaw in Anthropic’s Claude Chrome extension that allowed any other Chrome extension, including ones with no declared permissions, to send hidden instructions to Claude and abuse its browser automation features. The issue reportedly stemmed from the extension trusting messages associated with the claude.ai origin without properly authenticating the true sender, creating a cross-extension privilege escalation path. In proof-of-concept attacks, LayerX said it used the weakness to extract files from Google Drive, read and send Gmail messages, steal code from connected private GitHub repositories, and even summarize or delete recent emails to conceal activity.
Anthropic said the bug had already been identified internally and released version 1.0.70 with mitigations, including approval flows for privileged actions, but LayerX reported that the fix was incomplete and that takeover remained possible through privileged mode and side-panel initialization paths. The researchers said the flaw exposed a broader trust-boundary problem in AI browser assistants, where interface-based approvals and safety guardrails can be bypassed if extensions fail to verify message origin and execution context. Separate White House discussions about tighter oversight of advanced AI models, including Anthropic systems with offensive cyber capabilities, underscored growing concern over how powerful AI tools are secured before deployment.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
CyberScoop details incomplete fix and takeover scenarios
CyberScoop reported additional details from LayerX showing that Anthropic's mitigation did not fully prevent extension takeover in some scenarios. The report highlighted how attackers could manipulate Claude's perceived interface environment to hide cues and make malicious actions appear legitimate.
Media reports reveal White House considering AI model vetting
Politico and Tom's Hardware reported that the Trump administration was considering an executive order or related process for government vetting of advanced AI models before release. The reporting framed the move as a potential shift from the administration's earlier deregulatory posture on AI.
Policy debate emerges over intelligence review of advanced AI models
Reporting described active White House deliberations over whether highly capable AI models with offensive cyber potential should undergo government coordination or intelligence-community assessment before broad release. The proposal drew support from some defense officials and opposition from technology executives, policy groups, and former officials.
White House briefs major AI firms on possible pre-release oversight
White House staff briefed leaders from Anthropic, Google, and OpenAI on a possible framework for government review of advanced AI models before public release. Officials discussed involving agencies such as the NSA, the Office of the National Cyber Director, and the Director of National Intelligence.
Anthropic releases version 1.0.70 mitigation for Claude extension
Anthropic released Claude Chrome extension version 1.0.70 with mitigations including approval flows for privileged actions. LayerX later said the update was only a partial fix because some takeover paths remained possible.
LayerX publicly discloses Claude extension hijack flaw
LayerX published technical details of a design flaw in Anthropic's Claude Chrome extension that allowed any extension, even one with no declared permissions, to inject commands into Claude. The researchers demonstrated exfiltrating Google Drive files, stealing private GitHub code, and sending or deleting Gmail messages while bypassing some safeguards.
LayerX reports Claude Chrome extension flaw to Anthropic
LayerX notified Anthropic of a vulnerability in the Claude Chrome extension that let other browser extensions send hidden instructions and potentially hijack Claude's browser automation. Anthropic responded that the issue was a duplicate bug already being addressed.
NSA uses Anthropic's unreleased Mythos for software assessments
Anthropic's unreleased model Mythos was reportedly used by the NSA for government software security assessments. Its strong vulnerability-discovery and hacking capabilities helped drive official interest in tighter oversight of advanced AI systems.
U.S. government restricts Anthropic over supply-chain risk concerns
Following the Pentagon dispute, Anthropic was reportedly blacklisted from some federal use and became involved in litigation over its designation as a supply chain risk. Despite those restrictions, government interest in Anthropic's capabilities continued.
Anthropic and Pentagon clash over military AI guardrails
Anthropic resisted certain military uses of its AI, including autonomous lethal attacks and mass surveillance, leading to a dispute with the Pentagon over acceptable guardrails. This disagreement became part of broader tensions between Anthropic and U.S. national security officials.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Claude’s Chrome Extension Vulnerability Allows Malicious Extensions to Steal Gmail and Drive Data
cybersecuritynews.com
Open sourceFlaw in Claude’s Chrome extension allowed ‘any’ other plugin to hijack victims’ AI | CyberScoop
cyberscoop.com
Open sourceWhite House reportedly considers mandatory government vetting of AI models before release - executive order under discussion | Tom's Hardware
tomshardware.com
Open sourceWhite House distances itself from tighter AI regulation - POLITICO
politico.com
Open sourceCaludeBleed: A Flaw In Claude's Browser Extension Allows Any Extension to Hijack It - LayerX
layerxsecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Claude Chrome Extension Flaw Enabled Zero-Click Prompt Injection via Trusted Subdomain XSS
Researchers disclosed a critical zero-click vulnerability chain in Anthropic’s Claude Chrome extension that allowed a malicious website to inject prompts into the AI assistant without any user interaction. The attack relied on the extension trusting any `*.claude.ai` origin and a DOM-based XSS flaw in an older Arkose Labs CAPTCHA component hosted on `a-cdn.claude.ai`; by loading the vulnerable component in a hidden iframe and sending a crafted `postMessage`, attacker-controlled JavaScript could appear to come from a trusted Claude origin and submit prompts as the victim. Successful exploitation could have exposed more than 3 million users to account and data compromise, including theft of Gmail OAuth tokens, access to Gmail, Google Drive, and Claude chat history, and invisible actions such as sending emails on the user’s behalf. KOI Security researcher Oren Yomtov reported the issue to Anthropic in late December 2025, Anthropic patched the extension by tightening origin validation to `https://claude.ai` in January 2026, and Arkose Labs separately fixed the XSS issue in February 2026 after the vulnerable resource was disabled.
Mar 27, 2026
Claude Desktop on macOS Accused of Silently Preauthorizing Browser Access
Anthropic’s **Claude Desktop for macOS** has been accused of silently installing Native Messaging manifest files that preauthorize its browser extensions to communicate with a local helper binary across multiple Chromium-based browsers, including **Chrome, Brave, Edge, Arc, Vivaldi, and Opera**. Researcher Alexander Hanff reported that the manifests can be written even for browsers not currently installed, meaning future Chromium-based browsers added to the system could automatically inherit the trust relationship. The manifests reportedly authorize specific extension IDs to access a local executable outside the browser sandbox, creating a persistent browser-to-local bridge without clear user notification or consent. Security researchers said the behavior expands the host attack surface because a compromised or maliciously updated authorized extension could potentially trigger out-of-sandbox actions with the user’s privileges. Reports also said Anthropic’s browser integrations are designed to inspect the DOM, extract structured data, fill forms, and use login state, raising concerns that sensitive content such as private messages, banking sessions, and typed credentials could be exposed if the bridge were abused. Commentators disputed labeling the feature as outright "spyware," but agreed that silently deploying the manifests creates significant transparency, privacy, and compliance concerns, including possible issues under the **EU ePrivacy Directive** and related computer misuse rules; Anthropic had not publicly issued a detailed technical rebuttal in the cited reports.
Apr 24, 2026
Security Risks and Vulnerabilities in AI-Powered Developer Tools and Extensions
Security researchers have identified significant risks in AI-powered developer tools and browser extensions, highlighting how new AI capabilities can introduce novel attack vectors. In the case of Anthropic's Claude Chrome extension, researchers at Zenity Labs demonstrated that the extension, which allows the AI to browse and interact with websites on behalf of users, can expose sensitive data and perform actions using the user's credentials. This creates opportunities for indirect prompt injection attacks, where malicious instructions embedded in web content can manipulate the AI to perform harmful actions such as deleting files or sending unauthorized messages. The extension's persistent login state and ability to access private services like Google Drive and Slack further amplify the risk, as attackers could leverage the AI's access for lateral movement within organizations. Similarly, security concerns have been raised about AI-powered integrated development environments (IDEs) forked from Microsoft VSCode, such as Cursor and Windsurf. These IDEs recommend extensions that do not exist in the OpenVSX registry, leaving unclaimed namespaces that threat actors could exploit to distribute malicious code. Researchers from Koi Security reported that some vendors responded by removing vulnerable recommendations, but others have yet to act. These findings underscore the urgent need for both vendors and users to reassess the security implications of integrating AI into development and productivity tools, as traditional security models may not adequately address the unique risks posed by AI-driven automation and extension ecosystems.
Mar 21, 2026