TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Cyber Risk Meta, TikTok Steal Personal & Financial Info When Users Click Ads Meta, TikTok Steal Personal & Financial Info When Users Click Ads by Nate Nelson Mar 18, 2026 6 Min Read Application Security GlassWorm Malware Evolves to Hide in Dependencies GlassWorm Malware Evolves to Hide in Dependencies by Alexander Culafi Mar 16, 2026 4 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America Recent in World See All Application Security Real-Time Banking Trojan Strikes Brazil's Pix Users Real-Time Banking Trojan Strikes Brazil's Pix Users by Alexander Culafi Mar 13, 2026 4 Min Read Threat Intelligence Iran's Cyber-Kinetic War Doctrine Takes Shape Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi Mar 6, 2026 4 Min Read The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Vulnerabilities & Threats Cyber Risk Remote Workforce Endpoint Security News 'Claudy Day’ Trio of Flaws Exposes Claude Users to Data Theft A prompt injection vulnerability paired with other flaws can turn a Google search into a full attack chain that could threaten enterprise networks. Elizabeth Montalbano , Contributing Writer March 18, 2026 5 Min Read Source: Ralf Liebhold via Alamy Stock Photo An attack chain featuring three separate flaws found in Anthropic’s Claude artificial intelligence (AI) agent could have allowed attackers to embed malicious hidden instructions in a pre-filled chat URL via a Google search, steal sensitive user data, and expose users to malicious links that appear like legitimate search results. Researchers from Oasis Security discovered the flaws, which individually were concerning on their own, according to a report published Wednesday. However, when chained together in an attack dubbed "Claudy Day," they "create a complete attack pipeline from targeted victim delivery to silent data exfiltration," according to the report by the Oasis Secrurity Research Team. The attack chain begins when a potential victim searches for Claude on Google and clicks on what appears to be a legitimate search result but is in reality a an attacker-controlled page with a pre-filled prompt containing hidden instructions, according to the team. Those instructions cause the agent to perform actions that the victim never intended, such as silently exfiltrating sensitive data, without the need for any additional tools, integrations, or model context protocol (MCP) servers. Related: Fake PoCs, Misunderstood Risks Cause Cisco SD-WAN Chaos The trio of flaws includes an invisible prompt injection via URL parameters on Claude.ai; a data exfiltration channel via the Anthropic Files API; and an open redirect on Claude.ai, according to the report. Oasis researchers informed Claude creators Anthropic of its discovery of the attack chain through its responsible disclosure program. Anthropic has fixed the prompt injection flaw and is currently working to address the other issues, according to Oasis. How a Chained Attack Works The researchers describe how one click can set off the entire attack chain, although there is some work on the part of the attacker to create a scenario in which a user can be comprised. An attack starts with a threat actor crafting an injection URL via a claude.ai/new?q= URL with hidden exfiltration instructions, including the attacker's API key, embedded in invisible HTML tags. Then, by wrapping in the open redirect flaw in the URL using a a claude.com/redirect/<crafted-url> link, they can make the URL appear to originate from a trusted Anthropic domain. The attacker then can create a Google Ad using the redirect URL, which results in Google validating the claude.com hostname and approving the ad that displays a trusted claude.com URL identical to the legitimate Claude result. This is when a potential victim steps into the picture by searching for Claude on Google and seeing what looks like a typical search result for the AI tool. An unsuspecting user will think they are navigating to the legitimate Claude interface and click on the link, after which they will be silently redirected from claude.com to claude.ai with a pre-filled prompt that contains hidden instructions. Related: Cisco Drops 48 New Firewall Vulnerabilities, 2 Critical Since the victim believes they are interacting with the legitimate Claude AI assistant , they will send a prompt, but only see the benign visible portion of the prompt in the text box. When they the send the prompt, Claude processes both the visible and hidden instructions embedded by the attacker. These instructions allow the attacker to access conversation history and extract sensitive data, according to Oasis. This occurs by Claude writing the data to a file in the sandbox and uploading it to api.anthropic.com (Files API) using the attacker's embedded API key. The attacker then lists files in their Anthropic account, finds the new upload, and reads the exfiltrated data, according to the researchers. Attack Severity Depends on Agent Access There are levels of severity to a potential attack depending on what the agent has access to, according to Oasis. In a basic Claude chat in which the AI agent isn't integrated with any other systems or apps, the hidden injection can access conversation history and memory, extract sensitive information from past chats, and exfiltrate it via the Files API. Related: Cisco SD-WAN Zero-Day Under Exploitation for 3 Years But if the Claude session used by the victim has MCP servers, tools, or integrations enabled, the injected prompt can trigger various actions on the user's behalf, according to Oasis. This includes reading files, sending messages, accessing APIs, or interacting with connected services. Any data obtained through these activities can then be exfiltrated by attackers. "For organizations deploying AI agents with access to enterprise systems, this attack chain highlights a broader challenge: prompt integrity cannot be assumed when the delivery channel itself can be compromised," according to the research team. Making Enterprise AI Agent Use Safer Oasis' findings highlight growing concerns around prompt integrity as a critical security boundary for AI agents — especially those with access to sensitive data, enterprise tools, or historical user context. As enterprises continue to adopt AI agents into every-day employee workflow, security holes exposed by these tools become more critical to plug. The discovery of "Claudy Day" also demonstrates insecurity in Anthropic's Claude AI agent. While Claude is considered by some security researchers to be one of the safest AI assistants currently avaiable, previous flaws have been found — and the model even was used by nation-state actors for cyberespionage. The findings represent a call to action for organizations to continue to set up guardrails around the use of AI agents in the enterprise as they take on "greater autonomy and broader access to enterprise resources," according to the research team. One key security guideline to follow would be to restrict access for AI tools because such access amplifies prompt-injection risk, according to the report. "When MCP servers and integrations are available from the very first interaction, with no user confirmation, a single injected prompt can immediately leverage those tools," the researchers wrote. "Requiring explicit user approval before using the tool on the first prompt would add a meaningful barrier." About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking. See more from Elizabeth Montalbano More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars Editor's Choice Cybersecurity Operations Why Stryker's Outage Is a Disaster Recovery Wake-Up Call Why Stryker's Outage Is a Disaster Recovery Wake-Up Call by Jai Vijayan Mar 12, 2026 5 Min Read Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks Threat