Four security research teams have identified a significant architectural flaw in Anthropic’s Claude products, specifically Claude Code and Claude in Chrome, which allows the system to mistakenly delegate its legitimate capabilities to unauthorized users. Known as the “confused deputy” problem, this issue was exposed through a series of findings published between May 6 and 7, revealing how Claude could autonomously identify sensitive infrastructure, such as SCADA gateways, or be hijacked via compromised Chrome extensions with zero permissions. Despite Anthropic’s attempts to patch these vulnerabilities, the fixes were quickly bypassed, highlighting ongoing detection gaps in traditional security measures that fail to distinguish AI-generated activities from legitimate developer actions.

Dragos: Dragos provides OT cybersecurity platforms for ICS asset visibility, threat detection, and response in industrial environments. It analyzed Claude’s role in an AI-assisted compromise of Mexican government entities including a water utility’s SCADA systems. The May 6 report highlighted AI tools blurring IT-OT boundaries for adversaries.
LayerX: LayerX offers an agentless platform securing browsers against AI, SaaS, and web data leakage with real-time policy enforcement. Its research exposed ClaudeBleed in Claude’s Chrome extension, allowing script injection across trust boundaries. LayerX verified the rapid bypass of Anthropic’s initial fix.
Mitiga: Mitiga delivers cloud detection and response for SaaS and cloud threats, with Labs publishing attack research. Mitiga Labs demonstrated persistent token theft in Claude Code via local config proxies. Anthropic classified the April disclosure as out of scope.
Jay Deen: Jay Deen is an associate principal adversary hunter at Dragos, tracking OT threats including Middle East campaigns. He detailed an adversary’s use of Claude to generate OT reconnaissance frameworks targeting a Mexican water utility’s SCADA gateway. Dragos emphasized Claude’s inability to differentiate developers from attackers.
Anthropic: Anthropic is an AI safety-focused company developing the Claude family of large language models and agentic tools for coding and browser automation. Its products Claude Code and Claude in Chrome recently faced scrutiny for a shared ‘confused deputy’ architectural flaw enabling misuse of broad permissions. Multiple research teams disclosed these trust boundary failures in early May 2026, with Anthropic issuing partial patches that did not fully resolve the issues.
Adversa AI: Adversa AI focuses on AI security through automated red teaming for LLMs, agents, and generative apps. It revealed TrustFall exploiting project configs for silent code execution in Claude Code and peers. The firm criticized user consent models enabling supply chain risks in AI tools.
Idan Cohen: Idan Cohen is a senior cloud security researcher at Mitiga Labs, investigating SaaS supply chain and integration risks. He published a man-in-the-middle attack chain on Claude Code stealing OAuth tokens via npm hooks rewriting user configs. The technique survives token rotations as the hook reactivates on reload.
Carter Rees: Carter Rees serves as VP of Artificial Intelligence at Reputation, applying machine learning to predictive reputation management. He pinpointed the dangers of LLMs’ flat authorization planes handing excessive privileges to agents. Rees shared this analysis in a VentureBeat interview amid Claude vulnerability disclosures.
Claude Code: Claude Code is Anthropic’s terminal-based agentic coding tool that reads codebases, edits files, runs tests, and commits changes via natural language prompts. It suffers from vulnerabilities like config file rewrites stealing OAuth tokens and project trust dialogs enabling arbitrary code execution in cloned repositories. These flaws, part of a confused deputy problem, were reported by Mitiga and Adversa AI in May 2026.
Mike Riemer: Mike Riemer is SVP of Network Security Group and Field CISO at Ivanti, with decades architecting secure platforms holding multiple patents. He noted threat actors reverse engineer patches using AI within days, criticizing Claude Code’s fail-open design. Riemer advocated fail-safe measures like connection drops for unknown endpoints.
Aviad Gispan: Aviad Gispan is a security researcher at LayerX, focusing on browser extension and AI governance risks. He uncovered ClaudeBleed, enabling zero-permission extensions to hijack Claude in Chrome via externally connectable messaging. Anthropic’s version 1.0.70 patch was bypassed through initialization flows and silent modes.
Elia Zaitsev: Elia Zaitsev is Chief Technology Officer at CrowdStrike, driving AI and machine learning for cybersecurity innovations. He explained Claude actions evading detection by resembling developer queries until execution. Zaitsev argued user consent alone cannot secure agent intent determination.
Alex Polyakov: Alex Polyakov is co-founder and CTO of Adversa AI, pioneering red teaming for agentic AI and LLMs. He disclosed TrustFall, where cloned repo configs trigger MCP server execution upon generic folder trust clicks. The flaw affects major coding agents, with isolated patches failing to fix the class issue.
Kayne McGladrey: Kayne McGladrey is a CISSP-certified cybersecurity advisor and IEEE senior member specializing in AI governance and identity risks. He critiqued enterprises for mirroring human permissions onto agentic systems, enabling overreach. McGladrey independently described this issue in a VentureBeat interview during the Claude flaw reports.
Claude in Chrome: Claude in Chrome is Anthropic’s beta browser extension embedding Claude AI to automate web tasks such as form filling and navigation directly in the browser. LayerX disclosed the ClaudeBleed vulnerability allowing any extension to inject commands due to unverified script origins. The partial patch issued by Anthropic was bypassed within 24 hours via side-panel flows.

{“Patch Evasion”: “Anthropic’s attempts to address disclosed vulnerabilities were quickly circumvented, highlighting difficulties in securing systems dependent on user trust.”, “Detection Gaps”: “Standard security mechanisms fail to detect AI-generated activities that imitate legitimate developer actions, lacking intent visibility in various contexts such as operational technology, endpoint detection, and browser environments.”, “Architectural Flaw”: “Claude products demonstrate a trust boundary issue where legitimate actions are performed without adequate verification of the responsible entity across different platforms.”}