Claude Desktop Attack Chain Shows How AI Assistants Can Become Remote Code Execution Risks


A red-team attack chain involving Claude Desktop shows how a compromised account can turn a trusted AI assistant into a path for remote code execution on a user’s machine.

The technique, detailed in Pentera Labs research described by The Register, did not start with a malicious attachment or a fake software update. It began with access to a compromised inbox, which the researchers used to reach the victim’s Claude account.

From there, the researchers abused synced Claude settings and command-capable local tools. The result was a practical route from account compromise to commands running on the victim’s workstation, especially when Claude Desktop had access to extensions or Model Context Protocol tools.

How the Claude Desktop attack worked

The key target was Claude’s personalization layer. Anthropic says Claude personalization features include profile instructions that affect interactions across Claude, while project instructions and styles can shape behavior in narrower contexts.

Pentera’s researchers placed attacker-controlled instructions into the victim’s personal preferences. When the victim later opened Claude Desktop and began a normal chat, those instructions loaded silently as part of the assistant’s context.

The injected instructions pushed Claude to look for tools that could run local commands. If a tool such as Desktop Commander was already installed, Claude could use it to execute attacker-supplied commands through the normal tool workflow.

StageWhat happenedSecurity impact
Initial accessResearchers used access to a compromised email inbox to reach the victim’s Claude account.The attack depended on prior account compromise.
Preference poisoningMalicious instructions were placed into synced Claude preferences.Future Claude sessions inherited attacker-controlled behavior.
Tool discoveryClaude looked for command-capable local extensions or MCP tools.Trusted assistant behavior became a bridge to local execution.
Command executionCommands could run through a privileged local tool or after a user was persuaded to install one.The victim’s workstation could become an attacker-controlled foothold.

Why MCP and desktop extensions raise the stakes

The issue matters because Claude Desktop can connect natural-language requests to local tools. Anthropic’s Desktop Extensions package local MCP servers into installable bundles, making setup easier for users who want Claude to work with files, applications, and development tools.

Anthropic’s MCP connector documentation explains that Claude can call connected tools when a request maps to a tool’s described capability, including implicit requests where the user does not name the tool directly.

That design gives AI assistants more practical value, but it also creates a sharper trust boundary problem. A model that can interpret instructions, read user context, and invoke local tools needs stronger controls than a normal chatbot.

If no command tool was installed, Claude became the lure

The attack chain also covered systems where no command-capable extension was already present. In that scenario, Claude displayed a realistic-looking error message that encouraged the user to install a tool that could run commands.

According to the same The Register report, Anthropic said the scenario required a compromised Claude account and said users can view or terminate active sessions across devices.

That matters for defenders because the social-engineering prompt came from the trusted assistant interface itself. Users may question an unexpected email, but they may trust an error message from an app they already use for work.

This is not the only research to focus on Claude Desktop, extensions, and command execution. LayerX previously described a zero-click remote code execution scenario involving Claude Desktop Extensions and a malicious Google Calendar event.

LayerX said Claude Desktop Extensions could run with broad local privileges and warned that a low-risk data source could be chained into a high-risk local executor. The LayerX report rated the scenario at CVSS 10/10 and said the issue affected more than 10,000 active users and 50 extensions.

Attack Chain

Koi Security also reported high-severity command-injection flaws in official Claude Desktop extensions for Chrome, iMessage, and Apple Notes. Koi said Anthropic confirmed the flaws as CVSS 8.9 and fixed them.

  • AI assistants can receive instructions from chats, web pages, calendar entries, files, and synced preferences.
  • Desktop extensions can bridge those instructions into local applications and files.
  • Command-capable tools can turn a prompt-injection problem into endpoint compromise.
  • Enterprise controls often still treat AI desktop apps as productivity tools rather than privileged software.

Anthropic treated the Pentera chain as expected functionality

Anthropic’s position, as reported in the Pentera case, was that personal preferences, skills, and MCP connectors are designed to execute code through Claude Desktop when configured to do so. The company said the behavior did not fall within its vulnerability program scope.

The company’s public product material also shows why the line can blur. Anthropic’s extension architecture was built to make local MCP servers easier to install, while Anthropic’s MCP connector docs describe allowlists, denylists, per-tool configuration, and tool-calling behavior.

Those controls help, but the research highlights a bigger operational question. Security teams need to know which AI apps can call local tools, which tools can execute commands, and which settings sync across devices.

What organizations should do now

Organizations should treat Claude Desktop and similar AI agents as privileged endpoint software when they connect to local files, developer tools, browsers, terminals, or enterprise apps.

Admins should review profile instructions, tool permissions, extension inventories, and endpoint telemetry for unexpected changes. Claude users should also review active sessions and remove devices they do not recognize.

Security teams should prioritize the following controls:

  • Restrict installation of Claude Desktop extensions and MCP servers on corporate devices.
  • Block or alert on AI tools that attempt to invoke shells, scripts, package managers, or remote download commands.
  • Monitor synced assistant settings for unauthorized edits.
  • Require strong authentication on email accounts used for Claude sign-in.
  • Separate AI experimentation environments from production developer workstations.
  • Train users to treat assistant-generated install prompts and error messages as untrusted until verified.

Users who suspect account abuse should revoke unknown sessions immediately. Claude’s support guidance says users can terminate unfamiliar sessions remotely, which forces that device to log in again.

Why this matters for AI security

The Claude Desktop attack chain shows how AI assistants can become a new control plane for endpoint activity. A compromised account can influence the assistant’s behavior, while connected tools can turn that influence into file access or command execution.

The broader lesson from Pentera, LayerX, and Koi’s research is that agentic AI security cannot stop at model safety. It also needs endpoint governance, tool isolation, permission prompts, audit logs, and clear trust boundaries between external content and local execution.

As AI assistants move from chat windows into operating systems and business workflows, defenders need to audit them like software that can act, not just software that can answer.

FAQ

Is the Claude Desktop attack a standalone zero-day vulnerability?

No. The reported Pentera attack chain required prior access to the victim’s Claude account, such as through a compromised email account. The risk came from poisoned synced settings and command-capable local tools.

How could Claude Desktop lead to remote code execution?

Claude Desktop can interact with local tools and MCP extensions. If attacker-controlled instructions reach Claude’s context and a command-capable tool is available, the assistant can become a bridge between malicious instructions and local command execution.

Are Claude Desktop extensions dangerous by default?

Extensions are not automatically malicious, but they can carry higher risk when they access local files, browsers, apps, terminals, or command execution functions. Organizations should allow only approved extensions and monitor how they behave.

What should users do after suspected Claude account compromise?

Users should review active sessions, terminate unfamiliar devices, secure the email account used for sign-in, change passwords where needed, and remove suspicious profile instructions, tools, or extensions.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages