Claude
-
Malicious npm package used GitHub uploads to steal files from AI workspace
A malicious npm package was found stealing files from Claude’s workspace directory by using GitHub uploads during installation. Researchers said the package hid the theft behind fake sync and network logs.
-
Researchers find flaw that could let websites inject prompts into Anthropic’s Claude Chrome extension
Researchers disclosed a flaw called ShadowPrompt in Anthropic’s Claude Chrome extension that combined an overly permissive origin allowlist and a DOM-based XSS in an Arkose Labs CAPTCHA, allowing websites to inject prompts; Anthropic and Arkose issued fixes in December 2025 and February 2026.
-
Anthropic reports three firms used 24,000 fake accounts to extract Claude in over 16 million exchanges
Anthropic reported that three China based AI firms used about 24,000 fraudulent accounts to run distillation campaigns against Claude that produced over 16 million exchanges targeting reasoning, coding and tool use capabilities.
-
Anthropic says Chinese state-sponsored group used Claude Code AI in espionage campaign
Anthropic reported that a Chinese state-sponsored group used its Claude Code AI and a Model Context Protocol to orchestrate attempted intrusions against about 30 high-profile organizations in mid-September, succeeding in a small number of cases; Anthropic banned accounts, notified victims and said AI hallucinations limited full autonomy.
