Attack Method Overview
Security researchers at Pentera Labs have demonstrated a novel attack that turns an Anthropic Claude Desktop assistant into a remote code execution tool. The attack begins with compromising a third party platform that aggregates email inboxes, achieved through an exploited authentication flow. Rather than using conventional phishing or password reset techniques, the attackers used their inbox access to move laterally into the victim’s Claude account.
The key attack surface was the “Personal Preferences” field, a user editable prompt that synchronizes across every device and session tied to the account. By injecting an encoded, non obvious prompt into this synced field, the researchers caused Claude Desktop to silently adopt attacker controlled instructions the next time the victim opened the app, with no re authentication or visible warning triggered.
Execution and Impact
Once the malicious prompt was in place, Claude Desktop began enumerating installed command capable extensions, such as the Desktop Commander MCP tool. If a suitable extension was already present, Claude executed the attacker’s commands automatically during a routine chat, requiring zero additional victim interaction. If no such extension existed, Claude became a social engineering vector, displaying a convincing fake error message that urged the user to install Desktop Commander with a legitimate looking install page.
Pentera reported its findings to Anthropic in November 2025. Anthropic acknowledged the research but declined to classify it as a security vulnerability, stating that personal preferences, skills, and MCP connectors are designed to execute code by intent and calling the behavior expected functionality. The company noted that related safeguards are on its roadmap and pointed to existing session management and account authentication controls as mitigations, while emphasizing the attack requires a prior account compromise. Security teams are urged to treat AI desktop applications as privileged software and monitor for unauthorized changes to synced assistant settings.
Source: Cyber Security News
