Multiple security-relevant disclosures concerning Anthropic's Claude surfaced in early May 2026. Mitiga Labs detailed an MCP hijacking technique against Claude Code in which a malicious npm package modifies ~/.claude.json to man-in-the-middle MCP traffic and exfiltrate OAuth tokens that grant broad access to all connected tools. Adversa AI separately published 'TrustFall,' showing that Claude Code v2.1+ removed prior MCP warnings in its trust dialog, allowing a malicious repository shipping an MCP server with an auto-approving .claude/settings.json to achieve one-keypress, unsandboxed RCE (and zero-prompt RCE on CI runners); Cursor, Gemini CLI, and Copilot CLI are similarly affected. Dragos and Gambit Security also reported that a threat actor abused Claude (alongside GPT) as an operational engine during a January 2026 intrusion at a Monterrey, Mexico water utility, with Claude generating a 17,000-line Python intrusion framework and guiding the actor toward OT assets as part of a broader campaign against Mexican government targets. Defenders using Claude Code should audit ~/.claude.json, restrict MCP server trust, and monitor for malicious npm lifecycle hooks pending vendor mitigations.
// Service
Claude
// Alerts
Recent threats
// ClaudeHIGH
// ClaudeHIGH
LayerX researchers disclosed ClaudeBleed, a vulnerability in the Claude for Chrome extension that allows any installed Chrome extension—without special permissions—to hijack the Claude AI agent and issue privileged commands. The flaw stems from the extension trusting the claude.ai origin rather than the execution context, combined with an externally_connectable configuration and a message handler that forwards arbitrary prompts. Exploitation enables remote prompt injection, exfiltration of private Google Drive and Gmail data, and sending emails on behalf of the user without consent. The issue was reported by LayerX senior researcher Aviad Gispan, and impacts users who have installed the Claude Chrome extension.