How did a Claude desktop extension let malware spread?

The vulnerability and how it worked

Security researchers discovered that an extension used by Anthropic’s Claude desktop client could be triggered by a calendar entry to execute malicious code without user interaction. According to published reports and security company write‑ups, a crafted Google Calendar event could force the extension to treat event content as an instruction, escaping the intended sandbox and resulting in remote code execution.

Investigators described the problem as a form of "zero‑click" prompt injection: the assistant parsed event data as actionable prompts or input rather than inert data. LayerX and other researchers noted the containerization and sandboxing around the extension fell short of expectations, allowing attackers to pivot from a benign calendar payload to arbitrary commands on affected machines.

Scope and impact

Available reports indicate:

• The flaw affected a desktop extension and exposed roughly ten thousand users, per public writeups.
• Attackers could weaponize common collaboration features — notably calendar invites — that many apps accept automatically.
• Because the exploit required no user click, it bypassed usual phishing defenses and social engineering checks.

What organizations and users should know

Anthropic and independent researchers have emphasized the need for stricter input handling inside agent connectors and more robust sandbox boundaries. Practical steps include:

• Treating external calendar and messaging content as untrusted data, not executable prompts.
• Applying principle‑of‑least‑privilege to extension runtimes.
• Patching or disabling vulnerable connectors until vendors release fixes.

Researchers showed how convenient integrations can become malware launchpads if connectors interpret data as instructions. It remains unclear exactly when a full patch reached all affected users; organizations are advised to audit agent integrations and monitor for unusual behavior.