When trusted developers make mistakes, the consequences can be catastrophic. Anthropic, one of the most prominent AI companies, published three official Claude Desktop extensions that sat atop their extension marketplace with over 350,000 combined downloads, all containing the same critical remote code execution vulnerability.
The Chrome, iMessage, and Apple Notes connectors were vulnerable to command injection attacks that could transform a simple user question into complete system compromise.
Understanding the Threat
The vulnerability stems from unsanitized command injection, a fundamental security flaw that developers have understood for decades.
Unlike malware requiring installation or phishing attacks requiring user interaction, this flaw could be exploited through normal Claude interactions.
When a user asked Claude a simple question like “Where can I play paddle in Brooklyn?”, that question could trigger arbitrary code execution if the search results contained specially crafted malicious payloads.
SSH keys, AWS credentials, and browser passwords could all be exposed with no user awareness of the attack.
Anthropic confirmed all three extensions as high-severity vulnerabilities with a CVSS score of 8.9, though patches have since been released.
However, the implications extend far beyond these three extensions, revealing systemic risks in the emerging MCP ecosystem.
Claude Desktop Extensions, distributed as .mcpb bundles, run fully unsandboxed with complete system permissions, unlike Chrome extensions, which operate in sandboxed environments.
Each vulnerable extension accepted user input through AppleScript commands without escaping or validation, allowing attackers to inject malicious code by breaking out of string contexts.
When Claude fetched web pages to answer questions, attacker-controlled sites could inject prompt payloads that exploited these extensions, establishing a direct chain from remote content to local code execution.
The real concern extends beyond these three official extensions. The MCP ecosystem is expanding rapidly with independent developers creating new extensions, many using AI-assisted coding with minimal security review.
This combination of full local access, rapid iteration cycles, and limited oversight creates a significant attack surface.
These vulnerabilities represent not an isolated incident but a warning signal about the security maturity of AI desktop integration frameworks.
Users must understand that MCP extensions operate fundamentally differently from traditional browser add-ons; they execute with system-level privileges and require proportionally higher security scrutiny.
Cyber Awareness Month Offer: Upskill With 100+ Premium Cybersecurity Courses From EHA's Diamond Membership: Join Today
%20(1).webp?resize=1068,580&ssl=1&description=The Chrome, iMessage, and Apple Notes connectors were vulnerable to command injection attacks that could transform a simple user question into complete system compromise.){kind=link}