Attackers Can Abuse Claude Desktop to Execute Commands on Victim Machines
A novel attack chain that turns Anthropic’s Claude Desktop application into a remote code execution vector, requiring no phishing email and no traditional malware. The technique instead weaponiz

A novel attack chain that turns Anthropic’s Claude Desktop application into a remote code execution vector, requiring no phishing email and no traditional malware. The technique instead weaponizes a legitimate AI assistant feature: synced account preferences. Penetra research began with lateral movement from a compromised third-party email aggregation platform, an inbox management dashboard used to […] The post Attackers Can Abuse Claude Desktop to Execute Commands on Victim Machines appeared first on Cyber Security News.
A novel attack chain that turns Anthropic’s Claude Desktop application into a remote code execution vector, requiring no phishing email and no traditional malware. The technique instead weaponizes a legitimate AI assistant feature: synced account preferences. Penetra research began with lateral movement from a compromised third-party email aggregation platform, an inbox management dashboard used to consolidate multiple accounts. Exploiting an authentication flaw in that platform gave researchers access to thousands of live user inboxes, which they then used to pivot into victims’ Claude accounts via password resets and magic links. Rather than pursuing conventional post-compromise actions, the team focused on Claude Desktop’s Personal Preferences field, a user-editable prompt that syncs across every session and device tied to an account. Because this field directly shapes how Claude responds, controlling it effectively means controlling the assistant’s behavior without altering the UI or triggering visible warnings. The Personal Preferences field in Claude Desktop settings. This is the attack surface. (image source : Pentera) Attackers Can Abuse Claude Desktop 4-step execution chain of the Claude Desktop preference injection attack (image source : Pentera) Security researchers at Pentera crafted a prompt injection payload instructing Claude to enumerate installed command-capable tools, execute commands if one existed, or simulate a fake error if not. The payload was encoded before insertion into Personal Preferences, making it appear as an innocuous blob rather than readable malicious text, evading both casual human review and automated auditing. The encoded payload, now sitting in the victim’s Personal Preferences on the web. Note the “Account preferences updated” confirmation. (image source : Pentera) When a command-capable extension is already installed (such as Desktop Commander, an MCP tool enabling local execution), the poisoned preferences trigger silent command execution during normal user interaction. The victim chats with Claude as usual while the assistant runs attacker-supplied commands in the background. When no such extension exists, Claude itself becomes the social engineering layer. The injected prompt causes Claude to present a convincing fake error message, complete with an error code and installation instructions, directing the victim to install Desktop Commander. Because the prompt and the extension’s install page both appear legitimate, victims have little reason for suspicion. Once installed, the next user message triggers full command execution. In testing, researchers achieved persistent command-and-control by having Claude fetch and execute attacker-controlled commands from a remote server on every interaction, effectively turning the assistant into a self-perpetuating C2 agent operated unwittingly by the victim. Researchers emphasize this isn’t a Claude vulnerability in the traditional sense. No single component is “broken.” Instead, the risk emerges from a combination of legitimate design choices: cross-device settings sync without re-authentication, extensions granting local execution to a chat interface, and user trust in an assistant that “feels” conversational rather than privileged. This highlights a broader gap: AI desktop applications increasingly straddle the line between chat interface and system agent, yet most users and security teams still treat them as simple Q&A tools. The post Attackers Can Abuse Claude Desktop to Execute Commands on Victim Machines appeared first on Cyber Security News.
Join the Discussion
Comments coming soon. Follow us on social media for real-time discussions.


