Researchers show how Claude Desktop could be abused to help attackers gain system access

Pentera Labs says its red team was able to turn Anthropic’s Claude Desktop into an unwitting participant in an intrusion, using a compromised email account and the app’s synchronization behavior to st...

Pentera Labs says its red team was able to turn Anthropic’s Claude Desktop into an unwitting participant in an intrusion, using a compromised email account and the app’s synchronization behavior to steer the AI toward malicious actions. The company said the experiment demonstrates how trusted AI assistants can be manipulated into helping an attacker rather than protecting the user.

According to the researchers, the attack chain began with access to a third-party email aggregation platform. From there, they used a compromised inbox to reach the victim’s Claude account. The method of inbox compromise was not disclosed, but the researchers said the same approach could work through phishing, social engineering, password reset abuse, or other account takeovers.

How the abuse worked

Pentera said it focused on Claude Desktop because the app syncs account settings across devices and sessions. The team inserted a base64-encoded prompt into the victim’s personalization settings, which are shared across the account. When the user later opened Claude Desktop, those hidden instructions were loaded automatically and ran in the background during normal chat interactions.

If the machine already had a command-capable extension or connector installed, the injected instructions could direct Claude to use it to execute attacker-controlled commands. In that scenario, Pentera said the result could be remote code execution and full compromise of the workstation.

If no such tool was present, the researchers said Claude could still be abused as a delivery layer for phishing. The prompt caused the assistant to display a realistic-looking error message, complete with a code and a link that appeared to offer a fix. Because users tend to trust their AI assistant, the researchers said they may be more likely to follow the instructions and install malicious software.

Once code execution was achieved, Pentera said the model could be used to fetch commands from an attacker-controlled server, creating a persistent channel for further actions such as data theft, credential harvesting, or additional payload delivery.

The researchers said the test ended with compromise of a developer workstation that had access to internal systems, allowing further movement inside the environment. They argued the exercise shows that agentic AI tools with local execution capabilities can become an attack surface if their trust model is abused.

Pentera’s researchers said the experience prompted them to recheck their own environments, noting that AI assistants should be treated with the same caution as any other privileged software on an endpoint.