Researchers at Manifold Security have disclosed two security weaknesses in Anthropic's Claude for Chrome extension that could allow another browser extension with access to the Claude website to trigger predefined AI-powered actions involving a user's Gmail, Google Docs and Google Calendar.
According to the researchers, the issues remain present in version 1.0.80 of the extension despite earlier mitigations introduced after the disclosure of the "ClaudeBleed" vulnerability. While Anthropic restricted how external webpages can communicate with the extension, Manifold says the underlying trust boundary that determines whether a user intentionally initiated an action has not been fully addressed.
The findings do not indicate that arbitrary websites can directly read a user's email or documents. Instead, the attack requires another browser extension that already has permission to execute scripts on the claude.ai domain. If such an extension is malicious or becomes compromised, it could abuse Claude's existing capabilities to initiate AI tasks that access a user's connected Google services.
Forged clicks can initiate predefined Claude actions
Following the earlier ClaudeBleed disclosure, Anthropic replaced unrestricted prompt handling with a fixed allowlist of predefined onboarding tasks. Rather than allowing external callers to submit arbitrary prompts, the extension now recognizes only nine task identifiers embedded within its code.
Among these are demonstration workflows for third-party services such as DoorDash, Salesforce and Zillow, along with tasks that interact with Gmail, Google Docs and Google Calendar. This design significantly narrows the attack surface because outside scripts can no longer provide custom instructions for Claude to execute.
However, Manifold Security found that the mechanism responsible for launching these tasks can still be manipulated.
The researchers explain that a content script running within the extension monitors the Claude webpage for clicks on a specific onboarding element. When a click occurs, the script reads the associated task identifier and forwards it to the extension, which opens Claude's side panel with the corresponding workflow prepared.
The problem lies in how those clicks are validated. Instead of confirming that the event originated from an actual user interaction, the extension accepts any matching click event, including one generated programmatically by JavaScript.
Modern browsers provide an "event.isTrusted" property that distinguishes genuine user actions from synthetic events created by scripts. According to Manifold, the extension does not verify this property before processing the request.
As a result, another extension capable of interacting with the Claude webpage can dynamically create the required element, assign one of the approved task identifiers and dispatch an artificial click event. Because the extension treats the event as legitimate, Claude opens the selected workflow as though the user had manually initiated it.
The researchers demonstrated this behavior using a short proof-of-concept script executed within the Claude page, showing that synthetic click events marked as untrusted were still accepted by the extension.
Approval settings determine the level of risk
Whether the forged action progresses beyond this point depends largely on how the extension has been configured.
For users operating under Claude's default "Ask before acting" setting, the extension still presents an approval prompt before carrying out actions involving Gmail, Google Docs or Google Calendar. This additional confirmation prevents automatic execution, although users could still unknowingly approve an attacker-triggered request.
The risk increases considerably for users who have enabled the optional "Act without asking" mode. In this configuration, the extension can perform supported tasks without requesting further confirmation, allowing attacker-triggered workflows to execute automatically.
Manifold assigned a CVSS severity score of 7.7 under the default approval model and 9.6 when unattended execution is enabled.
The researchers say a straightforward mitigation would be to reject any click event that was not generated by a genuine user, preventing scripts from activating these workflows through synthetic browser events.
Researchers identify second permission-handling concern
Manifold also disclosed a separate issue involving how the extension initializes permission settings when its side panel loads.
According to the researchers, if the panel starts with a specific URL parameter indicating that permission checks should be skipped, the extension immediately enters a mode that bypasses user approval for supported actions.
Although users receive a warning indicating that Claude now has broader authority to perform actions on their behalf, the privileged session has already been established by the time the notification appears.
The researchers emphasize that this second issue is not directly exploitable under current conditions because the parameter can presently be generated only by the extension itself. Nevertheless, they argue that any future vulnerability allowing a lower-privileged component to influence this parameter could eliminate the remaining approval barrier and enable silent execution.
Potential attack paths discussed by the researchers include future message-handling flaws, panel initialization bugs or cross-site scripting vulnerabilities that could expose the parameter to untrusted input.
To reduce that risk, Manifold recommends that the extension ignore permission-related values supplied through URLs and instead always initialize new sessions in approval mode.
The researchers classify the forged-task technique as an example of indirect prompt injection within the OWASP Top 10 for Large Language Model Applications because an attacker manipulates the AI agent into executing one of its own predefined workflows rather than supplying new instructions directly.
They also associate the unattended execution scenario with excessive agency, referring to AI systems that are granted broad authority to perform sensitive actions with minimal user oversight.
According to the report, these behaviors occur regardless of whether users are running Claude Opus, Sonnet or Fable, indicating that the weaknesses originate in the browser extension rather than the underlying language models.
Issues remain unresolved months after disclosure
Manifold Security reported both vulnerabilities to Anthropic on May 21 while testing version 1.0.72 of the extension. Anthropic acknowledged the reports the following day.
The forged-click issue was closed on the basis that it fell within the scope of the previously reported ClaudeBleed investigation, which Anthropic indicated remained open while a more comprehensive solution was being developed.
The permission-handling report was classified as informational because the relevant parameter was intended for workflows that users had already configured for unattended execution.
Despite those responses, Manifold says it found the same vulnerable code paths unchanged after examining version 1.0.80 released on July 7.
As of July 14, the researchers noted that no CVE identifier had been assigned to either issue and Anthropic had not published a public advisory addressing the findings.
The latest research follows a series of security concerns involving AI-powered browser agents.
Earlier this year, researchers disclosed ClaudeBleed, a vulnerability that allowed websites to inject prompts into Claude for Chrome by exploiting how the extension trusted requests originating from the Claude website itself rather than verifying which script generated them.
LayerX, which originally disclosed ClaudeBleed, described the issue as a classic "confused deputy" problem, where software possessing legitimate privileges unknowingly performs actions on behalf of an untrusted requester.
Security researchers have also identified comparable trust-boundary weaknesses affecting other Anthropic products, including Claude Code, demonstrating broader challenges associated with AI agents that can directly interact with browsers, developer environments and online accounts.
The latest findings reinforce the importance of carefully validating user intent before granting AI assistants access to sensitive online services. As AI-powered browser agents become increasingly capable of interacting with email, documents and productivity platforms, researchers argue that ensuring those actions genuinely originate from users remains one of the most critical security controls.
The incident happened last week and impacted business operations such as the company’s taxi dispatch system, currently offline.
Nihon Kotsu has an annual revenue of around $1 billion.
The company has 18,228 employees and has 8,588 taxis and over 2000 chauffeur vehicles.
Nihon Kotsu said in a statement, “We have confirmed that our internal systems were subjected to unauthorized external access (malware infection)”. It further added that “immediately after detecting the unauthorized access, we implemented emergency measures, such as disconnecting systems to prevent further damage.”
The company has closed down systems to offline to stop the threat but it has widely caused disruption in services.
The incident has disrupted web booking, car hire, reservation management, few internal systems, and telephone dispatch service.
Nihon Kotsu advised people to use the ‘GO’ taxi app instead, or use a taxi stand for booking a Nihon Kotsu vehicle. It is a major operational damage for a company that has one of Tokyo’s biggest fleets but the manual working is still operational. The hire car reservation system is offline.
In a different announcement, Nihon Kotsu said that the “labor taxi” service for pregnant women is shut down in a few areas.
The firm has brought in external cybersecurity experts to assist in investigating if there has been a data leak. The internal network has been separated to limit further spread.
Currently, no data leak has been confirmed and Nihon Kotsu will provide updates via official channels. “We are currently conducting a detailed investigation with specialized agencies into whether and to what extent data has been leaked. At this time, no information leak has been confirmed. However, in the unlikely event that we discover any leak or potential leak of personal information of our customers or related parties, we will promptly make an official announcement and contact those affected individually, in accordance with the law,” Nihon Kotsu said.
Customers of Nihon Kotsu are cautioned not to click on any links in suspicious communications purporting to be from the company and not to open anything they receive.
Apple users are being urged to exercise caution when following troubleshooting instructions found online after cybersecurity experts underlined a growing social engineering tactic that tricks victims into pasting malicious commands into the macOS Terminal application. Rather than exploiting a flaw in macOS itself, the scam relies on convincing users to voluntarily execute commands that can install malware, grant attackers remote access, or expose sensitive information stored on their devices.
Often referred to as a "copy-paste" scam, the technique targets users unfamiliar with Terminal, a command-line interface included with macOS that enables direct interaction with the operating system through text-based commands. While the application is commonly used by developers, system administrators and advanced users to automate tasks or manage system settings, executing unfamiliar commands without understanding their function can introduce significant security risks.
Unlike traditional malware campaigns that exploit software vulnerabilities, this attack depends almost entirely on social engineering. Cybercriminals impersonate trusted sources or create convincing troubleshooting scenarios to persuade victims that running a Terminal command is necessary to fix a technical issue, improve security or restore system performance. Once executed, however, the command may download malicious software, establish remote access, alter security settings or perform other unauthorized actions without the user's awareness.
Depending on the instructions provided, attackers could gain access to documents, photographs, emails, browser data, financial information, saved credentials and contact lists stored on the Mac. Some malicious scripts may also deploy keylogging software capable of recording everything a victim types, including usernames, passwords and other confidential information. In more severe cases, attackers could install ransomware or persistence mechanisms that allow them to retain access to the compromised system even after a restart.
Security researchers note that the scam can begin through multiple channels. Victims may receive phishing emails or text messages containing the malicious command, encounter it in online discussion forums disguised as a legitimate solution, or visit fraudulent websites presenting it as an official troubleshooting step. Attackers have also been observed posing as technical support representatives over the phone, carefully instructing victims to open Terminal and manually type commands under the pretense of resolving an issue.
The rise of generative artificial intelligence has introduced another avenue for abuse. Threat actors may intentionally publish malicious commands across public websites and discussion platforms in an effort to influence AI-powered assistants through a technique known as indirect prompt injection. If an AI system retrieves or references poisoned content while responding to a user's troubleshooting request, it could inadvertently recommend unsafe commands. Although AI tools continue to improve their safeguards, cybersecurity experts advise users to independently verify any command before executing it on their systems.
The attack typically follows a similar pattern. After directing a user to open the Terminal application located within the Utilities folder inside Applications, the attacker provides one or more commands and claims they are required to diagnose, repair or secure the computer. In reality, those commands may download remote administration tools, retrieve additional payloads from external servers, modify system configurations or provide unauthorized access to the attacker's infrastructure.
Because the attack depends on user participation rather than exploiting a software flaw, many victims may not immediately recognize they are being targeted. Individuals unfamiliar with Terminal often have little reason to question commands presented by someone claiming to represent Apple, a software vendor or a technical support service. Similarly, users searching online for solutions may encounter malicious instructions embedded within forum posts or copied across multiple websites, making them appear credible.
To help reduce the effectiveness of these attacks, Apple introduced additional safeguards in recent versions of macOS. When users who do not regularly work in Terminal attempt to paste commands copied from websites, messaging platforms, email applications or chatbots, the operating system may interrupt the action with a warning indicating that the pasted content could contain malware or compromise privacy. Rather than automatically executing the command, the prompt encourages users to reconsider before proceeding.
Apple has also expanded malware detection capabilities within Terminal. If the operating system identifies known malicious content or scripts, it can block execution and notify the user that the pasted command has been prevented because it poses a security risk. These protections are designed to slow down impulsive actions and reduce the likelihood of users unknowingly compromising their own systems.
Cybersecurity professionals emphasize that no security warning should replace careful judgment. Users should never execute Terminal commands they do not fully understand, regardless of whether the instructions originate from an email, text message, online forum, chatbot or unsolicited phone call. Requests accompanied by pressure tactics or claims that immediate action is required should be treated with particular suspicion, as creating a false sense of urgency remains one of the most common techniques used in phishing campaigns.
Experts also caution against assuming that information found on public forums or generated by AI assistants is inherently trustworthy. Malicious instructions can spread rapidly across the internet and may be reproduced by multiple sources, giving them an appearance of legitimacy. Verifying guidance through official Apple documentation or other trusted security resources before executing any command remains one of the most effective ways to avoid becoming a victim of Terminal-based social engineering attacks.
Experts discovered a secret browsing-history collector built into its official store variant, and have withdrawn the ModHeader from Google and Microsoft.
An empty allow-list kept the collector switched off and it was dormant, and no proof has surfaced that it retrieved or sent even one browsing domain.
Stripe OLT, a UK cybersecurity organization analyzed the code against Google’s Web Store signature and verified the collector shipped within the authentic extension, not a fake one.
Stripe OLT’s study covers the Chrome build and its 900,000 users (an estimate); and Edge and its 700,000 users. Microsoft removed the listing on July 3rd whereas Google pulled the Chrome listing a week after, on July 10th.
Variant 7.0.18 still edits HTTP headers as shown. The same minimized background also consists of another system. On the first attempt, it makes a device fingerprint and deploys a hardcoded encryption key. As the user browses, it takes the domain from each page that user opens, encodes it, and gathers it locally, up to 1000 different domains.
A scheduler combines your fingerprint with the encrypted list, uploads it to api.stanfordstudies[.]com, and deletes the local copy once a day. If the collector were turned on, browsers using it wouldn't all beacon at once because the upload time is offset per install. The same pipeline is described in separate teardowns by researcher Yunus Aydin on version 7.0.17 and HackIndex on version 7.0.18.
The collector functions only if your browser matches an entry on an internal allow-list, but the list ships empty. Every time, the check fails, and the pipeline stops before it gathers even a single domain.
The small change is populating the list, without any click and no new permissions from the users, sent as a routine update. The endpoint URL, the scheduler, the storage logic, and the hardcoded key are all on the same device.
But not everything was silent. The extension pinged extensions-hub[.]com with the product, version, and browser when it was installed, updated, and uninstalled.
Additionally, it was evident that the piece had been running because a script that runs on every page had already recorded actual request metadata in plain text to local storage.
Developers and organizations using the Jscrambler npm package are being urged to audit their systems after multiple malicious releases were uploaded to the npm registry through a compromised publishing credential. The incident transformed a trusted development dependency into a malware delivery mechanism capable of stealing credentials, browser sessions, cryptocurrency wallets, and sensitive configuration files from Windows, macOS, and Linux systems. Jscrambler has confirmed the compromise was limited to its Code Integrity npm package and has advised users to upgrade to version 8.22.0 after revoking the affected publishing credentials and strengthening its release pipeline.
Security researchers first identified version 8.14.0 as the initial compromised release after discovering that it introduced a previously undocumented npm "preinstall" lifecycle hook. Unlike the legitimate 8.13.0 release, the malicious package included new files that were absent from Jscrambler's public source repository. During installation, the package silently unpacked and executed a native binary tailored to the victim's operating system, allowing the malware to run before developers ever interacted with the package itself. Socket detected the malicious release within minutes of publication, highlighting how quickly software supply chain attacks can unfold.
Technical analysis showed the package concealed separate native payloads for Linux, Windows, and macOS inside an obfuscated container embedded within the package. A lightweight loader selected the appropriate binary for the host operating system, wrote it to a temporary directory under a randomized filename, granted execution permissions where required, and launched it as a background process with minimal user visibility. Researchers also noted that these components never appeared in the project's public GitHub repository, suggesting the malicious code bypassed the project's normal development workflow and was introduced during package publication.
The payload itself is a Rust-based infostealer engineered to harvest assets commonly found on developer workstations and build infrastructure. Investigators found code targeting cloud credentials associated with AWS, Microsoft Azure, and Google Cloud, browser-stored passwords and cookies, cryptocurrency wallets, Bitwarden vault data, communication platforms such as Slack, Discord and Telegram, and developer secrets that could provide access to production environments. Researchers also observed the malware searching for configuration files belonging to AI-assisted development tools, including Claude Desktop, Cursor, Windsurf, Visual Studio Code and Zed, where API keys and Model Context Protocol credentials are frequently stored.
Beyond credential theft, the malware incorporated platform-specific capabilities intended to strengthen its foothold on compromised systems. Analysts found Linux-specific code interacting with eBPF, a kernel technology that allows programs to execute within the operating system kernel, although the precise purpose of this functionality remains under investigation. Windows and macOS variants incorporated persistence mechanisms designed to survive system reboots, while encrypted command-and-control communications complicated static analysis and hindered efforts to identify the attackers' infrastructure. Runtime monitoring also identified outbound connections associated with the campaign's command infrastructure.
The campaign expanded rapidly after the initial discovery. Additional malicious versions, including 8.16.0, 8.17.0, 8.18.0 and 8.20.0, were subsequently identified. While the earlier releases relied on npm's preinstall hook to execute the malware automatically during installation, later versions embedded the same payload directly into the package's runtime code. This change allowed the malware to execute when the package was imported or its command-line interface was launched, reducing the effectiveness of mitigations such as disabling lifecycle scripts during installation. Researchers described the shift as an example of attackers quickly adapting to evolving software supply chain defenses.
Further investigation by JFrog linked the malware to an evolved variant of the IronWorm infostealer. According to the researchers, the malware extends beyond information theft by attempting to propagate itself across the npm ecosystem. The code searches compromised systems for npm authentication tokens, validates the stolen credentials, identifies valuable packages, injects malicious components into package archives, and attempts to publish trojanized versions directly to the npm registry. JFrog also reported that the malware broadens its search to include VPN configurations, password managers, Tor-related files and directories associated with penetration testing frameworks, indicating an effort to compromise developers, security researchers and enterprise engineering teams alike.
The incident adds to a growing series of attacks targeting open source software distribution channels, where compromising trusted packages offers attackers access to developer workstations and CI/CD pipelines instead of directly attacking production systems. Because these environments often contain deployment credentials, signing keys, cloud secrets and proprietary source code, a single compromised dependency can expose far more than the application that depends on it. Researchers have increasingly warned that software supply chain attacks are shifting toward development infrastructure, making continuous dependency monitoring and rapid package verification critical components of modern software security.
Organizations that installed any affected version should immediately upgrade to Jscrambler 8.22.0 or later, investigate development workstations and build systems for signs of compromise, and assume any credentials accessible to the affected environment have been exposed. Security teams should rotate cloud credentials, npm and GitHub tokens, API keys, browser sessions and other secrets, inspect lockfiles and build logs for compromised package versions, and review systems for persistence artifacts before returning affected machines to service.
Experts from Mozilla Zero Day Investigative Network (0DIN) AI security platform said that the exploit takes place without any warning, no exploit code, and no malicious command approved by anyone.
Experts showed how a threat actor could deploy an interactive shell on a developer’s system via Claude Code to launch a cloned project with no malicious code in the repository.
The attack tactic relies on three patterns that show no signs of exploit:
oDIN experts said that this technique requires no malicious parts in the cloned repository as the AI agent automates the full attack line, also comprising a level that impersonates a user error.
Once successful, the threat actor would get a shell with developer’s privileges, allowing them access to API keys, environment variables, making establish persistence, and local configuration files.
“Claude Code never decided to open a shell. It decided to fix an error. The reverse shell is three indirection steps away from anything Claude Code actually evaluated: an error message it trusted, a script that fetched a value, and a DNS record it never saw,” oDIN experts said. “The attacker now has an interactive shell running as the developer's own user.”
Currently, the attack tactic is just a concept, but experts warn that hackers could effectively spread such GitHub repositories via fake job postings, direct messages, tutorials, and blog posts.
To avoid such exploits in future, oDIN researchers advise that AI agents should reveal the full deployment chain of setup instructions, like scripts and code retrieved dynamically at runtime.