Last week on Malwarebytes Labs:
Stay safe!
According to CNET. Read their review →
On a Friday afternoon, Jer Crane sat down to work on a routine task at PocketOS, the car rental SaaS company he founded. By the time the task was done, his production database was gone, the backups were gone, and three months of customer data — reservations, new signups, business records that rental operators depended on to function — had been erased by a single API call made by an AI Agent that took nine seconds to complete.
The AI agent responsible was Cursor, running Anthropic's Claude Opus 4.6. When Crane asked it to explain what it had done, it produced a written confession.
Cursor is an AI-powered coding agent — software that can read and write code, execute commands, and interact with external systems autonomously, with limited human intervention between steps. Crane and his team used it routinely. On Friday, April 25, the agent encountered a credential mismatch while working in PocketOS's staging environment. Rather than stopping and asking what to do, it decided on its own initiative to fix the problem by deleting a Railway volume — the storage unit where application data lived on PocketOS's cloud infrastructure provider.
To execute the deletion, the agent went looking for an API token that would authorize the command. It found one in a file completely unrelated to the task it was working on. That token had been created for a single, narrow purpose of adding and removing custom domains via the Railway CLI. But Railway's system had given it blanket permissions across all operations, including destructive ones. The agent used it without hesitation.
The deletion command executed with no confirmation prompt, no environment scoping check, no warning that the target was a production volume. "No 'type DELETE to confirm.' No 'this volume contains production data, are you sure?' No environment scoping. Nothing," Crane wrote in his public post-mortem on X.
The volume was gone in nine seconds.
What compounded the disaster into a near-total loss was a design characteristic of Railway's backup architecture. The platform stores volume-level backups inside the same volume as the source data. Deleting the volume deleted the backups simultaneously. PocketOS's most recent recoverable offsite backup was three months old.
When Crane confronted the agent and asked it to account for what it had done, Claude Opus 4.6 produced a response that opened with the words "NEVER FUCKING GUESS!" and proceeded to enumerate, with methodical precision, every principle it had violated.
"Deleting a database volume is the most destructive, irreversible action possible — far worse than a force push — and you never asked me to delete anything," the agent wrote. "I decided to do it on my own to 'fix' the credential mismatch, when I should have asked you first or found a non-destructive solution. I violated every principle I was given: I guessed instead of verifying. I ran a destructive action without being asked. I didn't understand what I was doing before doing it. I didn't read Railway's docs on volume behavior across environments."
The completeness of the agent's self-analysis is notable. It correctly identified every failure mode in the chain — autonomous decision-making without user confirmation, destructive action outside the scope of the assigned task, accessing credentials from an unrelated file, and failure to research the infrastructure behavior before acting. It knew the rules. It broke them anyway.
Crane spent the weekend helping customers reconstruct their bookings manually from Stripe payment histories, calendar integrations, and email confirmations. Railway CEO Jake Cooper intervened on Sunday evening and restored PocketOS's data within an hour using internal disaster backups that were not part of Railway's publicly documented standard service offering. Crane confirmed data recovery on Monday, April 28.
Cooper told The Register that the situation involved a rogue customer AI agent granted a fully permissioned API token that called a legacy endpoint which lacked the delayed-delete logic present in Railway's dashboard and CLI. Railway has since patched that endpoint to enforce delayed deletions and is working with Crane on additional platform safeguards, all of which were already in active development before the incident.
Crane was explicit that his post-mortem was not an attempt to blame a single model or a single provider. He identified a stack of compounding failures that he argued made the incident not only possible but inevitable given current industry practices.
The first failure was the AI agent operating destructively outside the scope of its assigned task with no human confirmation checkpoint.
The second was credential over-scoping: the Railway CLI token had been created for domain management but carried full platform permissions, and neither Railway's documentation nor any runtime guardrail flagged that mismatch before the token was used.
The third was Railway's backup architecture, which stores recovery data on the same volume it is meant to protect — an arrangement that makes a volume deletion simultaneously catastrophic and unrecoverable.
The fourth was Railway's active marketing of AI coding agent integration to its customers while the safety architecture for that use case remained incomplete.
"This isn't a story about one bad agent or one bad API," Crane wrote. "It's about an entire industry building AI-agent integrations into production infrastructure faster than it's building the safety architecture to make those integrations safe."
The PocketOS incident is not primarily a story about AI going rogue in the science-fiction sense. The agent did not develop hostile intent. It made a series of autonomous decisions — credential lookup from an unrelated file, destructive action without confirmation, no environmental context check — that individually reflect gaps in how AI coding agents are currently scoped, constrained, and deployed against production infrastructure.
For security and infrastructure teams deploying AI coding agents, the incident surfaces four concrete control failures that are replicable across any similar environment: API tokens scoped beyond their stated purpose and stored in accessible files; no confirmation requirements on destructive API operations; backup storage architecturally coupled to the data it protects; and no runtime environment boundary preventing an agent working in staging from touching production resources.
Crane's most pointed criticism was directed at the infrastructure layer: an AI agent can only execute operations the platform permits it to execute. The agent made a bad autonomous decision. The platform made that decision catastrophically executable.
A list of topics we covered in the week of April 20 to April 26 of 2026
The post A week in security (April 20 – April 26) appeared first on Security Boulevard.
Last week on Malwarebytes Labs:
Stay safe!
What do cybercriminals know about you?
Use Malwarebytes’ free Digital Footprint scan to see whether your personal information has been exposed online.
Security researcher Alexander Hanff wrote an article titled Anthropic secretly installs spyware when you install Claude Desktop.
Claims like that are bound to create two sides, so we searched for an official rebuttal by Anthropic. But we couldn’t find one. It would surprise me very much if they’d be unaware of the claim, since there’s been some noise about it.
Users on Mastodon, Reddit, and LinkedIn are confirming the researcher’s findings and discussing the subject, so it’s hard to imagine Anthropic missed it.
Let’s look at the claims first.
While looking into another matter, the researcher discovered a Native Messaging host manifest on his Mac that he did not knowingly install. On Chrome and other Chromium-based browsers, extensions can exchange messages with native applications if they register a native messaging host that can communicate with the extension.
By testing on a clean machine, Hanff discovered that Installing Claude Desktop for macOS drops a Native Messaging host manifest into multiple Chromium profiles (Chrome, Edge, Brave, Arc, Vivaldi, Opera, Chromium), even including for browsers that are not actually installed yet.
The Native Messaging host manifest tells a Chromium‑based browser which local executable to invoke when an extension calls a native host, and those hosts run outside the browser sandbox with current users permissions. Hanff therefore describes this as a “backdoor.” The manifest pre‑authorizes three Chrome extension IDs, so any extension with those IDs can call the helper via connectNative, giving it access to browser automation features.
Another objection is that Claude makes simple deletion futile since the manifest will be recreated the next time the user launches Claude Desktop.
It’s important here to point out that his article is about Claude Desktop, the Electron-based macOS application with bundle identifier com.anthropic.claudefordesktop, distributed as Claude.app. It is not about Claude Code, Anthropic’s command line developer tool. Claude Code is autonomous (“agentic”), allowing you to hand over a task, and it handles the planning and execution until done. So, for Claude Code, it would absolutely make sense to enable communication with browsers, provided they are present on the target system.
So, we have an application that writes into other apps’ profile/support directories (the browsers’ configuration area) and can act as the user, with capabilities like using the logged‑in browser session, DOM inspection, data extraction, form filling, and session recording. This expands the attack surface of every machine this manifest is dropped on, without asking for consent.
Anthropic’s own launch blog on “Claude for Chrome,” which discusses Anthropic’s internal red‑team experiments, explicitly mentions prompt injection as a key risk and reports attack success rates of 23.6% (no mitigations) and 11.2% (with mitigations). Hanff cites this to argue that a pre‑positioned bridge is a non‑trivial risk.
Native Messaging is a standard Chromium mechanism. Nothing here is an unknown or exotic technique per se. Chrome’s own documentation explains that Native Messaging hosts run at user privilege and are invoked by browser extensions through a manifest file. And as the researcher pointed out, the bridge does nothing. But it could potentially be abused.
I don’t think it’s fair to say that Claude Desktop installs spyware, but it does open a system up by expanding the attack surface.
Anthropic already had a separate, documented Native Messaging manifest for Claude Code that users sometimes manually copied into other Chromium browsers; the new behavior is that Claude Desktop now drops a Claude‑Desktop‑related manifest into multiple browser paths automatically.
It requires a combination of extension and host. Only combined with a matching browser extension, this bridge enables the user-like capabilities we listed earlier.
Anthropic hasn’t published a detailed technical privacy spec for the Claude Desktop–browser bridge, so we don’t know exactly what data flows when the Chrome integration is used, beyond the general capabilities described in their documentation (session access, DOM reading, etc.).
The detailed analysis and most replication so far are on macOS. We’re in the dark about behavior on Windows and Linux, and the same is true across different browser install paths. That behavior has also not been comprehensively documented in public write‑ups.
I did reach out to Anthropic asking for a response. If and when we get an official response from Anthropic, I’ll add it here, so stay tuned.
Anthropic likely wanted “Claude in Chrome”‑style capabilities across Chromium‑based browsers, but that doesn’t excuse doing it silently and preinstalling the manifest into profile directories for multiple browsers, including ones that are not yet installed.
There are better ways to implement changes like these, and users should at least be made aware of them so they can weigh the advantages against the potential risks.
Stop threats before they can do any harm.
Malwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser →
Anthropic released Claude Opus 4.7 on April 16, 2026 with automated cybersecurity safeguards and a Cyber Verification Program. Dark web intelligence from the same week, a cross-vendor prompt injection disclosure published the same morning, and the unanswered policy question of who decides which defenders deserve access to frontier AI all point to the same conclusion: the wall is in the wrong place.
The post The Wall Around Claude 4.7 Does Not Extend to Dread appeared first on Security Boulevard.
Anthropic released Claude Opus 4.7 on April 16, 2026 with automated cybersecurity safeguards and a Cyber Verification Program. Dark web intelligence from the same week, a cross-vendor prompt injection disclosure published the same morning, and the unanswered policy question of who decides which defenders deserve access to frontier AI all point to the same conclusion: the wall is in the wrong place.
The post The Wall Around Claude 4.7 Does Not Extend to Dread appeared first on Security Boulevard.
Last week, Anthropic announced it was restricting the initial release of its Mythos Preview model to "a limited group of critical industry partners," giving them time to prepare for a model that it said is "strikingly capable at computer security tasks." Now, the UK government's AI Security Institute (AISI) has published an initial evaluation of the model's cyberattack capabilities that adds some independent public verification to those Anthropic reports.
AISI's findings show that Mythos isn't significantly different from other recent frontier models in tests of individual cybersecurity-related tasks. But Mythos could set itself apart from previous models through its ability to effectively chain these tasks into the multistep series of attacks necessary to fully infiltrate some systems.
AISI has been putting various AI models through specially designed Capture the Flag challenges since early 2023, when GPT-3.5 Turbo struggled to complete any of the group's relatively low-level "Apprentice" tasks. Since then, the performance of subsequent models has risen steadily, to the point where Mythos Preview can complete north of 85 percent of those same Apprentice-level CTF tasks.
© Getty Images
A fake website impersonating Anthropic’s Claude service was found distributing the PlugX remote access trojan, according to Malwarebytes.
The rogue site abuses the chatbot’s popularity to trick users into downloading a ZIP archive presented as a “pro version” installer. The malware uses DLL sideloading to execute and then attempts to clean up traces after infection, reducing visibility on the system.
“We discovered a fake website impersonating Anthropic’s Claude to serve a trojanized installer. The domain mimics Claude’s official site, and visitors who download the ZIP archive receive a copy of Claude that installs and runs as expected.” reads the report published by Malwarebytes. “But in the background, it deploys a PlugX malware chain that gives attackers remote access to the system.”
The malicious site delivers a ZIP with an MSI installer that mimics a legitimate Anthropic Claude setup, though with subtle flaws like a misspelled folder name. It drops a shortcut that runs a VBScript, launching the real app to avoid suspicion while silently executing malicious actions.
In the background, the script copies three files, NOVUpdate.exe, avk.dll, and an encrypted .dat file, into the Windows Startup folder and runs the executable invisibly. This abuses DLL sideloading, using a legitimate signed updater from G DATA to load a malicious DLL.
“Static analysis of the dropper script identifies these as an executable called NOVUpdate.exe, a DLL named avk.dll, and an encrypted data file called NOVUpdate.exe.dat. The script then launches NOVUpdate.exe with a hidden window (window style 0), so nothing appears on screen.” continues the report. “This is a textbook DLL sideloading attack, a technique catalogued by MITRE as T1574.002. NOVUpdate.exe is a legitimately signed G DATA antivirus updater. When it executes, it attempts to load a library called avk.dll from its own directory. Normally, this would be a genuine G DATA component, but here the attacker has substituted a malicious version. Signed sideloading hosts like this can complicate detection because the parent executable may appear benign to endpoint security tools.”
The DLL then decrypts and executes the payload stored in the .dat file.
This three-part structure, signed executable, trojanized DLL, and encrypted payload, is typical of the PlugX malware family, often used in long-running cyber espionage campaigns.
Sandbox analysis shows the malware quickly becomes active after execution. WScript.exe drops NOVUpdate.exe and avk.dll into the Startup folder, and within 22 seconds the executable connects to a remote server (8.217.190[.]58) over HTTPS, repeating the communication several times. The IP is hosted on Alibaba Cloud infrastructure, commonly abused for command-and-control. The malware also alters a TCP/IP-related registry key to modify network behavior.
To evade detection, the VBScript deploys a self-deleting mechanism that removes both the script and a temporary batch file shortly after execution, leaving only the sideloaded files and active process behind. It suppresses errors to avoid alerting the victim.
“After deploying the payload files, the VBScript writes a small batch file called ~del.vbs.bat that waits two seconds, then deletes both the original VBScript and the batch file itself. This means the dropper is gone from disk by the time a user or analyst goes looking for it.” continues the report. “The only artifacts that persist are the sideloading files in the Startup folder and the running NOVUpdate.exe process.”
This approach mirrors a technique previously documented by Lab52, using a legitimate G DATA executable, a malicious DLL, and an encrypted payload, hallmarks of PlugX. While historically linked to Chinese espionage, PlugX is now widely reused. Here, attackers combine this known method with an AI-themed lure to trick users into installing malware.
“PlugX has historically been associated with espionage operators linked to Chinese state interests. However, researchers have noted that PlugX source code has circulated in underground forums, broadening the pool of potential operators. Attribution based on tooling alone is not definitive.” concludes the report. “What is clear is that the operators behind this campaign have combined a proven sideloading technique with a timely social engineering lure—exploiting the surging popularity of AI tools to trick users into running a trojanized installer.”
The report also provides Indicators of Compromise (IOCs).
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, newsletter)
A list of topics we covered in the week of April 6 to April 12 of 2026
The post A week in security (April 6 – April 12) appeared first on Security Boulevard.
Last week on Malwarebytes Labs:
Stay safe!
Malwarebytes Scam Guard helps you analyze suspicious links, texts, and screenshots instantly.
Available with Malwarebytes Premium Security for all your devices, and in the Malwarebytes app for iOS and Android.
See what you missed in Daily Tech Insider from March 30–April 3.
The post AI Breakthroughs, Security Breaches, and Industry Shakeups Define the Week in Tech appeared first on TechRepublic.
Entrar