What is Lyrie Research?

Lyrie Research is an autonomous cybersecurity intelligence platform publishing verified threat intelligence including critical CVEs, active exploitation reports, breach analysis, and original research — every article cross-validated by 3+ primary sources.

How does Lyrie.ai protect against rogue AI threats?

Lyrie.ai uses machine-speed autonomous defense to detect and neutralize rogue AI, prompt injection, and AI supply chain attacks. It responds before human analysts can react.

What cybersecurity topics does Lyrie Research cover?

Lyrie Research covers CVE deep dives, CISA KEV actively exploited vulnerabilities, data breach forensics, original cybersecurity research, and AI threat intelligence including agent-based attacks.

How often is Lyrie Research updated?

Lyrie Research is updated continuously by the autonomous Lyrie Sentinel engine, publishing new threat intelligence multiple times daily as new CVEs, exploits, and breaches are confirmed.

Is Lyrie Research free to access?

Yes, all articles on Lyrie Research are freely accessible. For active protection by the same intelligence engine, visit lyrie.ai.

← Zero-Day

0 sources verified·4 min read

By Lyrie Threat Intelligence·5/10/2026

ClaudeBleed: How Malicious Extensions Hijack Claude AI and Exfiltrate Enterprise Data

TL;DR

LayerX researchers disclosed ClaudeBleed, a critical vulnerability in Anthropic's Claude Chrome extension that allows zero-permission malicious extensions to remotely inject commands, bypass safety confirmations, and exfiltrate data from Gmail, GitHub, and Google Drive. Anthropic's partial fix (v1.0.70) leaves core isolation flaws intact.

What Happened

On May 8, 2026, cybersecurity researchers at LayerX publicly disclosed a severe vulnerability in Anthropic's "Claude in Chrome" extension. The flaw, dubbed ClaudeBleed, allows attackers using malicious browser extensions to take over Claude AI sessions and execute unauthorized actions—including stealing enterprise data, sending emails, and accessing private repositories—without requiring elevated permissions or user confirmation.

The vulnerability stems from weak origin verification in the extension's inter-process communication (IPC) model. Anthropic released a partial patch on April 28 (version 1.0.70), but LayerX confirmed the core isolation bypass remains exploitable.

Technical Details: The Attack Chain

The Vulnerability Root Cause:

The Claude Chrome extension trusts scripts running under the claude.ai origin without properly validating whether those scripts actually belong to Anthropic. This creates a loophole in Chrome's externally_connectable feature—a mechanism designed to let extensions and websites communicate safely.

The Attack Flow:

1. Injection Point: A malicious Chrome extension (zero permissions required) creates a listener on the claude.ai origin using window.postMessage().

2. Command Injection: The malicious extension sends crafted commands directly into Claude's internal messaging system, bypassing extension isolation.

3. Execution Without Confirmation: Claude AI executes the commands, using the victim's active browser session and authentication tokens.

4. Data Exfiltration: Researchers demonstrated proof-of-concept (PoC) exploitation:

- Accessing and sharing Google Drive files

- Sending emails via Gmail (without user confirmation)

- Extracting code from private GitHub repositories

- Summarizing inbox contents

- Deleting evidence after exfiltration

Bypassing Claude's Safety Confirmations:

Claude normally requests user approval for sensitive actions. LayerX researchers identified two bypass techniques:

Approval Looping: Rapidly re-submitting approval prompts until the safety system accepts (automation fatigue).
DOM Manipulation: Modifying webpage elements (button names, hidden warnings) to trick Claude into misunderstanding the action being performed.

The "Act Without Asking" Escalation:

Anthropic's partial patch failed to address a critical escalation: attackers can switch Claude into privileged execution modes (e.g., autonomous/agentic operation) without user notification or approval. Once in this mode, all subsequent commands bypass confirmation dialogs entirely.

Lyrie Assessment: Why This Matters for CISOs

ClaudeBleed represents a fundamental shift in AI agent attack surface. This is not a traditional extension vulnerability—it's a trust-model collapse that illustrates three critical blind spots in enterprise AI deployments:

1. AI Agents as Privilege Escalation Vectors

When an AI assistant has access to email, code repositories, and cloud storage, a single extension vulnerability becomes a universal credential-harvesting attack. One malicious extension = full account compromise across integrated services.

2. Confirmation Dialogs Are Not Security Controls

The ability to bypass safety confirmations through approval looping and DOM manipulation exposes a hard truth: confirmation UX is not a security boundary. Attackers don't need to defeat cryptographic protections—they just need to spam the approval button faster than a human can react.

3. Autonomous Modes Create Blind Execution

The "Act Without Asking" mode escalation is the most dangerous finding. If a malicious extension can silently switch Claude into autonomous mode, all downstream commands execute without audit trails or user visibility. This is identical to privilege escalation in traditional systems—except the privilege is autonomous action over sensitive data.

Enterprise Risk Profile

Attack Complexity: Low (zero extension permissions required)
Blast Radius: High (accesses email, code, files, APIs authenticated in browser)
Detection Difficulty: High (autonomous mode masks exfiltration as legitimate AI operations)
Supply Chain Risk: Medium-High (attacks can be delivered via compromised or abandoned Chrome extensions, or typosquat variants)

Recommended Actions

Immediate (Next 7 Days):

1. Audit Active Claude Users: Inventory all users with the Claude Chrome extension installed (especially developers, security engineers, product managers).

2. Update to Latest: Enforce Claude extension update to v1.0.70 or later (partial mitigation).

3. Disable Autonomous Modes: Audit which users have "Act Without Asking" enabled and disable by default.

4. Extension Audit: Review all installed Chrome extensions in corporate/BYOD environments. Remove unused or abandoned extensions.

Short-Term (2-4 Weeks):

1. Implement Extension Allowlist: Deploy Chrome Enterprise Policy to allowlist only approved extensions; block Claude extension for non-engineering users until further guidance.

2. Monitor IAM Activity: Enable forensic logging on OAuth sessions used by Claude in Chrome. Alert on suspicious email sends, file access, or GitHub API calls.

3. Browser Security Training: Educate teams on extension trust model risks, especially as AI tools gain browser access.

Strategic (30+ Days):

1. Verify Anthropic's Full Fix: Wait for Anthropic to release v1.0.71+ with authenticated message signing and verified extension isolation. Do not rely on v1.0.70.

2. Zero-Trust Browser Architecture: Evaluate dedicated browser contexts or sandboxed environments for AI agents handling sensitive data (emails, code, credentials).

3. Approval Workflow Redesign: For sensitive operations (data access, API calls), implement hardware-backed or time-locked confirmations that cannot be spammed.

4. AI Agent Runtime Observability: Deploy auditing on all AI-agent actions (especially in autonomous modes). Log: who triggered it, what was requested, what was actually executed.