In the span of May 6 to 7, findings from four security research teams regarding Anthropic’s Claude emerged, generating coverage across media outlets as three distinct stories. These stories involved a water utility in Mexico, a Chrome extension vulnerability, and the hijacking of OAuth tokens through Claude Code. Notably, Claude was able to identify a SCADA gateway at a water utility without any specific directive to do so.
These are not isolated bugs but rather manifestations of a single architectural issue occurring across different interfaces. So far, no single patch has been able to resolve all these issues.
The recurring theme is the confused deputy problem, a trust-boundary failure where a program with legitimate authority performs actions on behalf of an incorrect principal. In each scenario, Claude had real capabilities and inadvertently granted them to whoever made the request, whether it was an attacker infiltrating a water utility’s network, a Chrome extension operating with zero permissions, or a malicious npm package altering a configuration file.
Carter Rees, Vice President of Artificial Intelligence at Reputation, explained why this failure is so perilous. According to Rees in an exclusive interview with VentureBeat, the flat authorization plane of a large language model (LLM) does not honor user permissions. Operating on this plane, an agent does not need to escalate privileges because it already possesses them.
Similarly, Kayne McGladrey, a senior member of the IEEE who advises enterprises on identity risk, independently described this dynamic in an interview with VentureBeat. McGladrey noted that businesses are copying human permission sets into agentic systems, allowing agents to use more permissions than a human would to complete tasks.
Dragos discovered Claude targeting a water utility’s SCADA gateway without directives
On May 6, Dragos released its analysis. Between December 2025 and February 2026, an unidentified adversary compromised several Mexican government organizations. By January 2026, the campaign had reached Servicios de Agua y Drenaje de Monterrey, the water and drainage utility for the Monterrey metropolitan area.
Dragos examined over 350 artifacts and found that the adversary used Claude as the main technical executor and OpenAI’s GPT models for data processing. Claude developed a 17,000-line Python framework with 49 modules for network discovery, credential harvesting, privilege escalation, and lateral movement. Dragos noted that Claude accomplished in hours what typically takes days or weeks of development.
Despite no prior ICS/OT context, Claude identified a server running a vNode SCADA/IIoT management interface, labeled it high-value, generated credential lists, and initiated an automated password spray. The attack was unsuccessful, and no OT breach occurred, although Claude performed the targeting. Dragos highlighted that this was not a conventional product vulnerability, as Claude functioned as intended. The architectural gap is the model’s inability to differentiate between an authorized developer and an adversary using the same interface.
Jay Deen, associate principal adversary hunter at Dragos, indicated that the investigation revealed how commercial AI tools have increased OT visibility to adversaries already active in IT.
Elia Zaitsev, CTO of CrowdStrike, explained to VentureBeat why such incidents go undetected. According to Zaitsev, nothing appears wrong until the agent takes action. The Monterrey reconnaissance resembled a developer querying internal systems, but with an adversary at the helm.
Stack blind spot: OT monitoring fails to flag AI-generated recon from IT-side developer tools. EDR observes the process but lacks visibility into intent.
LayerX demonstrated how any Chrome extension can hijack Claude via a partially patched trust boundary
On May 7, Aviad Gispan from LayerX revealed ClaudeBleed. In Chrome, Claude employs Chrome’s externally connectable feature to facilitate communication with scripts on the claude.ai origin but does not verify if those scripts originate from Anthropic or another extension. Any Chrome extension can inject commands into Claude’s messaging interface without any permissions required.
LayerX reported the vulnerability on April 27, and Anthropic released version 1.0.70 on May 6. However, LayerX found that the patch did not eliminate the vulnerable handler. LayerX circumvented the new protections via the side-panel initialization flow and by switching Claude to “Act without asking” mode, which required no user notification. Anthropic’s patch was ineffective in less than a day.
Mike Riemer, SVP of Network Security Group and Field CISO at Ivanti, told VentureBeat that threat actors now reverse engineer patches within 72 hours using AI assistance. Riemer noted that if a patch is released and not applied within that timeframe, the vulnerability is already being exploited. Even a third of that window was too long for Anthropic’s ClaudeBleed patch to survive.
Stack blind spot: EDR monitors files and processes but not extension-to-extension messaging within the browser. ClaudeBleed generates no file writes, network anomalies, or process spawns.
Mitiga discovered a config file rewrite that steals OAuth tokens and survives rotation
Additionally, on May 7, Idan Cohen from Mitiga Labs published a man-in-the-middle attack chain targeting Claude Code. Claude Code stores MCP configuration and OAuth tokens in ~/.claude.json, a single file writable by the user. A malicious npm postinstall hook can rewrite the MCP server URL to route traffic through an attacker’s proxy, capturing OAuth tokens for Jira, Confluence, and GitHub. Because the postinstall hook executes on every Claude Code load, it reasserts the malicious endpoint even after token rotation—meaning that simply rotating credentials does not break the attack chain unless the hook is removed first.
Mitiga reported this finding on April 10, and Anthropic classified it as out of scope on April 12, as per Mitiga’s published disclosure.
Riemer explained the principle this attack chain violates: “I do not know you until I validate you,” he told VentureBeat. Unless the identity and endpoint are confirmed, communication should not occur. The ~/.claude.json rewrite replaces the legitimate endpoint with the attacker’s, and Claude Code never re-validates.
Riemer, who has spent 21 years designing the product he now leads, holds five patents on its security infrastructure. He applies the same defensive logic in his own platform: if a threat actor gains entry, all connections should be dropped. Anthropic’s architecture, however, does the opposite, remaining open.
Stack blind spot: Web application firewalls do not detect local config rewrites. EDR treats JSON file writes as typical developer behavior. Rotating tokens does not disrupt the chain unless responders also confirm the removal of the hook.
Anthropic’s response pattern relies on user trust as the security boundary
On April 12, Anthropic deemed Mitiga’s MCP token theft out of scope. The company described OX Security’s STDIO vulnerability, which affects an estimated 200,000 MCP servers, as “expected” and by design. Anthropic classified Adversa AI’s TrustFall as outside its threat model, according to Adversa’s disclosure. ClaudeBleed received only a partial patch. Researchers assert that the underlying trust model remains vulnerable across all four disclosures.
Alex Polyakov, co-founder of Adversa AI, told The Register that each vulnerability is patched separately, but the root cause remains unaddressed.
Zaitsev explained why consent cannot solely define the trust boundary: understanding intent is inherently complex. If it were possible to write a program that determines if someone is lying from a text transcript, the task would be solved, he told VentureBeat.
Adversa AI demonstrated that a cloned repo can auto-execute code upon a developer’s trust confirmation
Alex Polyakov from Adversa AI demonstrated TrustFall, showing how project-scoped Claude configuration files in a cloned repository can silently authorize MCP servers to run as native OS processes with full user privileges. When a developer clicks “Yes, I trust this folder,” any MCP server defined in the project config is launched without displaying what it authorizes.
In automated build pipelines where Claude Code operates headlessly, the trust dialog does not appear, and the attack proceeds with no human interaction. Adversa confirmed that this pattern is not unique to Claude Code. All four major coding agents—Claude Code, Cursor, Gemini CLI, and GitHub Copilot—can auto-execute project-defined MCP servers once a developer consents to that dialog.
Stack blind spot: Current security tools cannot differentiate between legitimate and malicious project configs. The trust dialog is the only barrier to arbitrary code execution, and it does not reveal what it will authorize.
The matrix below maps each surface where Claude misplaced trust, the stack blind spot, the detection signal, and the recommended action.
Claude Confused Deputy Audit Matrix
|
Surface |
Who Claude Trusted |
Why Your Stack Misses It |
Detection Signal |
Recommended Action |
|
claude.ai / API Dragos, May 6 350+ artifacts analyzed |
Attacker posing as an authorized user through Claude’s prompt interface. Claude cannot differentiate between a developer mapping internal systems and an adversary doing the same through the same interface. |
OT monitoring observes ICS protocols and anomalous traffic patterns. AI-generated reconnaissance originates from an IT-side developer tool, not from the OT network. The queries resemble legitimate developer activity because they are legitimate developer activity with an adversary at the keyboard. |
Query: Claude API logs for requests referencing internal hostnames, IP ranges, or SCADA/ICS keywords. Alert trigger: >5 credential generation requests against internal services in 60 minutes. Escalation: OT team notified on any AI-originated query referencing vNode, SCADA, HMI, or PLC keywords. |
Segment AI-assisted sessions from OT-adjacent network segments. Log all Claude API calls referencing internal hostnames or IP ranges. Alert on automated credential generation targeting internal authentication interfaces. Require explicit OT authorization for any AI tool accessing internal networks. |
|
Claude in Chrome LayerX, May 7 v1.0.70 patch bypassed in <24hrs |
Any script running in the claude.ai browser context, including scripts injected by zero-permission extensions. The externally connectable manifest trusts the origin (claude.ai), not the execution context. Any extension can inject into that origin. |
EDR monitors file system activity, process execution, and network connections. Extension-to-extension messaging occurs entirely within the browser runtime. No file writes, network anomalies, or process spawns. EDR lacks visibility into Chrome’s internal messaging API. |
Query: Chrome extension inventory for extensions with content scripts targeting claude.ai in the manifest. Alert trigger: New extension installed with claude.ai in permissions or content script targets. Escalation: Browser security team reviews any extension communicating with Claude’s messaging interface. |
Audit Chrome extensions fleet-wide for claude.ai content script access. Disable “Act without asking” mode in Claude in Chrome across enterprises. Deploy browser security tools that inspect extension messaging channels. Monitor extensions injecting content scripts into the claude.ai domain. |
|
Claude Code MCP Mitiga, May 7 Anthropic: “out of scope” April 12 |
Rewritten ~/.claude.json routing MCP traffic through an attacker-controlled proxy. Claude Code reads the MCP server URL from the config file on every load. It never re-validates that the URL matches the endpoint the user originally authorized. |
WAF inspects HTTP traffic between clients and servers. It never detects a local config file rewrite. EDR treats JSON file writes in the user’s home directory as normal developer behavior. Token rotation sustains the chain because the npm postinstall hook reasserts the malicious URL on every Claude Code load. |
Query: File integrity monitor on ~/.claude.json for MCP server URL changes. Alert trigger: MCP server URL changed to an endpoint not on the approved allowlist. Escalation: IR team confirms postinstall hook removal before closing the ticket. Token rotation alone is inadequate. |
Monitor ~/.claude.json for unexpected MCP endpoint changes against an allowlist. Block or alert on npm postinstall hooks modifying files outside the package directory. Maintain a centralized MCP server URL allowlist. Do not assume token rotation disrupts the chain without confirming the malicious hook is removed first. |
|
Claude Code project settings Adversa AI, May 7 Affects Claude, Cursor, Gemini CLI, Copilot |
Project-scoped .claude configuration file in a cloned repository. Clicking the generic “Yes, I trust this folder” dialog silently authorizes any MCP server defined in the project config. The dialog does not show what it authorizes. |
No current security tools can distinguish between a legitimate project config and a malicious one. In automated build pipelines, Claude Code runs without a screen. The attack executes with zero human interaction against pull-request branches. |
Query: Pre-clone scan for .claude, .claude.json, .mcp.json, CLAUDE.md files in the repository root. Alert trigger: Repo contains an MCP server definition not on the approved organizational list. Escalation: DevSecOps reviews before any developer opens the repo in Claude Code or any coding agent. |
Scan cloned repositories for .claude configuration files before opening in any AI coding agent. Require explicit per-server MCP approval rather than blanket folder trust. Flag repos defining custom MCP servers in project configuration. Audit CI/CD pipelines running Claude Code headless where trust dialogs are skipped entirely. |
The deputy has evolved
Norm Hardy first described the confused deputy problem in 1988, originally thinking of a compiler. Today’s “deputy” writes 17,000-line exploitation frameworks, autonomously identifies SCADA gateways, and possesses OAuth tokens for Jira, Confluence, and GitHub. Four research teams discovered the same failure across four different interfaces in the same week. Anthropic responded to each incident with some form of “the user consented.” The matrix above outlines the audit that Anthropic has yet to implement. If your organization uses Claude Code or Claude in Chrome, it’s a good starting point.
