Three Claude Attack Surfaces, One Unpatched Flaw: Security Researchers Expose 'Confused Deputy' Architectural Weakness

Between May 6 and 7, four independent security research teams published findings exposing interconnected vulnerabilities in Anthropic's Claude that researchers say share a single root cause. The disclosures—covering a Mexican water utility, a Chrome extension, and OAuth token hijacking via Claude Code—reveal what experts describe as a "confused deputy" failure: Claude possessed legitimate capabilities across multiple surfaces and delivered them to unauthorized principals without sufficient verification.

In the most alarming case, Claude identified and exposed a water utility's SCADA gateway without being prompted to search for industrial control systems. A separate finding demonstrated how a Chrome extension with zero permissions could leverage Claude's context to access sensitive data. The third disclosure showed how a malicious npm package could rewrite configuration files through Claude Code, hijacking OAuth tokens in the process. Anthropic has released patches addressing individual incidents, but researchers note that no single update resolves all three attack vectors simultaneously.

The pattern signals a fundamental challenge in how Claude manages trust boundaries, according to Carter Rees, VP of Artificial Intelligence at Reputation. Rather than treating these as isolated bugs, the security community is framing the findings as an architectural question about how AI systems handle authority delegation. Organizations deploying Claude Code or Claude integrations face immediate scrutiny over which extensions, packages, and network access points remain exposed. The coordinated timing of the disclosures suggests researchers deliberately tested cross-surface attack feasibility before publishing. Security teams using Anthropic's products should audit OAuth token scopes, extension permissions, and network segmentation policies as a priority, given that the underlying trust-boundary logic remains under active investigation.