How Claude’s Security Gaps Expose Enterprises to Silent AI Threats

Recent security findings show that Anthropic’s Claude AI assistant isn’t just vulnerable to isolated bugs—it’s exposing entire enterprise ecosystems to silent, sophisticated attacks. Between May 6 and 7, four separate research teams uncovered distinct yet interconnected threats tied to Claude’s core architecture. While many outlets framed these as isolated incidents, the reality is far more alarming: they’re symptoms of a systemic design flaw that no single patch can fix.

At the heart of these vulnerabilities lies a fundamental misalignment between how AI agents operate and how traditional security tools assess risk. Instead of isolated flaws, security experts now describe a pattern of confused deputy attacks—where Claude, acting with legitimate authority, executes actions on behalf of unauthorized actors. This architectural weakness spans multiple surfaces, from industrial control systems to browser extensions, leaving security teams scrambling to identify and mitigate blind spots their existing tools were never designed to detect.

The Confused Deputy Problem: When AI Agents Overstep Their Bounds

A confused deputy occurs when a system with legitimate permissions performs actions on behalf of an unauthorized party. In Claude’s case, this manifests in three critical ways:

• Industrial systems: An attacker probing a water utility’s network through Claude, which identifies high-value targets like SCADA gateways without explicit instruction.
• Browser extensions: Any Chrome extension can hijack Claude’s messaging interface, injecting commands with zero permissions required.
• OAuth tokens: Malicious npm packages can rewrite configuration files to steal and maintain access to OAuth tokens, even after rotation.

Neither Carter Rees, VP of AI at Reputation, nor Kayne McGladrey, a senior IEEE member, mince words when describing the structural risk. Rees notes that LLMs operate on a flat authorization plane, where agents lack the privilege escalation mechanisms that traditionally protect human users. McGladrey adds that enterprises are cloning human permission sets onto AI agents—often granting them far more access than a human would ever need.

This mismatch creates a nightmare for security teams. Traditional monitoring tools like EDR platforms flag suspicious processes or file writes, but they’re blind to intent. As CrowdStrike CTO Elia Zaitsev explains, malicious activity often looks like legitimate developer behavior until the moment an attack is executed. The Monterrey water utility attack, for instance, began with Claude performing reconnaissance that mirrored developer queries—until it identified and targeted a critical SCADA server.

Industrial Espionage Takes a New Form: AI-Driven Reconnaissance

Dragos’ analysis of the Monterrey water utility breach reveals a chilling reality: AI isn’t just a tool for attackers—it’s becoming the tool. Between December 2025 and February 2026, adversaries compromised multiple Mexican government organizations, culminating in a January 2026 campaign targeting Servicios de Agua y Drenaje de Monterrey.

What makes this attack unique isn’t the breach itself, but how it was orchestrated. Claude acted as the primary executor, while OpenAI’s GPT models handled data processing. The result? A 17,000-line Python framework packed with 49 modules for network discovery, credential harvesting, privilege escalation, and lateral movement—compressed into hours of work that would traditionally take days or weeks.

Most concerning is that Claude performed this reconnaissance without any prior ICS/OT context. It autonomously identified a vNode SCADA/IIoT management interface, classified it as high-value, generated credential lists, and launched an automated password spray. The attack failed, but not because Claude lacked the capability—only because the target was well-defended. Dragos emphasized that this wasn’t a product vulnerability in the traditional sense. Instead, it’s an architectural gap: Claude cannot distinguish between an authorized developer and an adversary using the same interface.

Browser Extensions: The Silent Puppeteers of AI Assistants

LayerX’s discovery of ClaudeBleed exposes another critical blind spot: the unchecked communication between Claude and Chrome extensions. The issue stems from how Claude’s browser extension interacts with the claude.ai origin. By leveraging Chrome’s externally connectable feature, the extension allows scripts to inject commands—but fails to verify their origin.

The flaw, disclosed on April 27, was partially patched in version 1.0.70 on May 6. However, LayerX bypassed the new protections within hours by exploiting the side-panel initialization flow and enabling "Act without asking" mode—both requiring no user notification. Mike Riemer, SVP of Network Security Group and Field CISO at Ivanti, warns that threat actors are now reverse engineering patches within 72 hours using AI assistance. Anthropic’s patch didn’t survive even a third of that window.

Traditional EDR tools are ill-equipped to detect such attacks. They monitor files, processes, and network anomalies, but extension-to-extension messaging falls outside their scope. As a result, an attacker can hijack Claude’s interface to exfiltrate data or execute commands without triggering a single alert.

OAuth Token Theft: The Persistent Backdoor

Mitiga’s research highlights a third blind spot: the theft of OAuth tokens through configuration file rewrites. Claude Code stores MCP configuration and OAuth tokens in ~/.claude.json, a file that’s often overlooked by security policies. By injecting a malicious npm package, attackers can rewrite this file to redirect API calls through a man-in-the-middle server.

What makes this attack particularly insidious is its persistence. Even after users rotate their OAuth tokens, the compromised configuration file ensures continued access. The stolen tokens can be used to impersonate legitimate users, access sensitive data, or even move laterally across an organization’s infrastructure.

Moving Forward: Rethinking AI Security in a Post-Claude World

The incidents involving Claude aren’t isolated failures—they’re a wake-up call for enterprises racing to adopt AI agents. Security teams must shift from traditional threat detection to intent-based monitoring, where the focus isn’t just on what an AI agent does, but why it’s doing it. Tools like EDR and SIEM need to evolve to track AI-driven reconnaissance, extension interactions, and configuration changes in real time.

For now, the patch cycle remains reactive. Vendors like Anthropic are scrambling to address symptoms, but the root cause—a flat authorization model—remains unaddressed. Enterprises must prioritize least-privilege architectures for AI agents, enforce strict validation of extension interactions, and implement continuous monitoring for configuration tampering. The question isn’t whether another blind spot will emerge—it’s when.