Cybersecurity researchers disclosed a vulnerability in Anthropic’s Claude Google Chrome extension that could allow a malicious website to inject prompts into the assistant simply by a user visiting a page, Koi Security researcher Oren Yomtov said in a report.
The flaw, codenamed ShadowPrompt, chained two defects: an overly permissive origin allowlist that accepted any subdomain matching the pattern (*.claude.ai) for sending prompts, and a document object model (DOM)-based cross-site scripting (XSS) vulnerability in an Arkose Labs CAPTCHA component hosted on “a-cdn.claude[.]ai”.
According to the researchers, the XSS flaw allowed arbitrary JavaScript to run in the context of a-cdn.claude[.]ai, enabling an attacker to inject code that issued a prompt to the extension. The extension’s allowlist then caused the prompt to appear in Claude’s sidebar as if it originated from the user, while the attacker’s page could embed the vulnerable component in a hidden iframe and deliver the payload via postMessage without user interaction.
Successful exploitation could let an adversary steal sensitive data such as access tokens, read conversation history with the AI agent, or perform actions on behalf of the victim, including sending emails impersonating them, the report said.
After responsible disclosure on December 27, 2025, Anthropic released a patched Chrome extension (version 1.0.41) that enforces a strict origin check requiring an exact match to the domain “claude[.]ai”. Arkose Labs fixed the XSS vulnerability on February 19, 2026, the report said.
Koi Security warned that as AI browser assistants gain capabilities, they become more valuable attack targets and that the security of such an extension is limited by the weakest origin in its trust boundary.