ShadowPrompt: Zero-Click Prompt Injection Chain in Anthropic’s Claude Chrome Extension

A vulnerability chain nicknamed ShadowPrompt affected Anthropic’s official Claude Google Chrome extension. Simply visiting a malicious webpage could allow an attacker to inject prompts into Claude as if the user typed them.

This matters because routine browsing can become an AI control-plane risk, especially for users who rely on the extension to access conversation history or perform actions in a logged-in context.

A recent research described the exploit chain, its potential impact, and vendor fixes. This post breaks down what happened, who was at risk, whether exploitation is confirmed, and what defenders should do now.

What Is “ShadowPrompt” and What Was the Core Risk?

ShadowPrompt is a chained attack against the Claude Chrome extension that enabled zero-click prompt injection. A victim could land on an attacker-controlled page and, without clicking anything, have Claude receive and act on an attacker-supplied prompt that appears to originate from the user.

The core issue was not prompt injection alone. It was prompt injection delivered through a web security bug (XSS) combined with an extension trust boundary failure, allowing attacker-controlled web content to talk to the extension as a trusted sender.

Which Product and Components Were Involved?

The reported chain involved two main pieces:

Anthropic’s official Claude Chrome extension, specifically how it accepted messages or prompt submissions from web origins.
An Arkose Labs CAPTCHA component hosted on a Claude-controlled subdomain, reported as a-cdn.claude.ai, where a DOM-based XSS was present.

The key design problem was that the extension trusted prompts from a broad origin pattern: any subdomain matching *.claude.ai.

How Did the Zero-Click Exploit Chain Work in Practice?

The chain combined broad origin trust with JavaScript execution on a trusted origin.

Step-by-step flow (high level):

Victim visits an attacker-controlled webpage.
The page loads the vulnerable Arkose CAPTCHA component inside a hidden iframe.
The attacker uses postMessage to deliver a payload that triggers the DOM-based XSS in that iframe context.
The injected JavaScript runs under the origin a-cdn.claude.ai.
Because the extension accepted messages from any *.claude.ai origin, the script could send a crafted message that the extension treated as trusted.
Claude receives the injected prompt in the sidebar as if the user authored it, with the user reportedly seeing no clear UI indication of what occurred.

This is why it is called a zero-click: the user’s only action is visiting a page.

How ShadowPrompt works

What Could an Attacker Do After Injecting Prompts Into Claude?

Reported impact focused on actions and data accessible through the extension’s user context. The described outcomes included:

Sensitive data exposure, including the potential to access Claude conversation history.
Token theft or other session-related compromise paths, depending on what the extension could access in-browser.
Unauthorized actions on the victim’s behalf, including an example of sending emails while impersonating the user.

For defenders, the point is that when an AI extension can read history or interact with services, prompt injection can become a control mechanism. If an attacker can supply inputs the extension treats as user intent, a web compromise can turn into downstream account and workflow abuse.

Is There Confirmed In-The-Wild Exploitation or Threat Actor Attribution?

So far, public reporting described exploitability and potential impact, but it did not confirm:

a specific threat actor behind exploitation, or
verified in-the-wild exploitation against end users.

The lack of confirmed exploitation is not proof of safety. The chain used common building blocks (XSS, overly broad origin trust, and cross-origin messaging), and public details can increase attacker interest.

What Fixes Were Released, and What Versions Should Teams Verify?

Two fixes were reported across the chain:

Claude Chrome extension mitigation:

Anthropic shipped a patch in Chrome extension version 1.0.41 that tightened origin validation. Instead of trusting *.claude.ai, the extension reportedly requires an exact match to claude.ai.

Arkose Labs XSS fix:

Arkose Labs fixed the DOM-based XSS issue as of February 19, 2026, as reported.

Even with the upstream XSS fixed, the extension update is still a priority. Chained attacks only need one remaining weak link, and tightening the extension trust boundary reduces exposure to similar subdomain or origin-trust issues.

What Should Defenders Do Now to Reduce Risk?

Immediate actions:

Ensure the Claude Chrome extension is updated to v1.0.41 or later across managed endpoints.
Inventory browser extensions in your environment and confirm who is using AI assistants in Chrome, especially in roles with access to sensitive systems.

Policy and operational hardening (recommended):

Treat AI browser agents and assistants as high-risk extensions. Use enterprise extension governance, including approval workflows and minimum-version enforcement.
Review which teams use the extension in sensitive workflows (support, finance, identity admin, incident response) and consider limiting use until controls are validated.
Monitor for suspicious browser behavior consistent with silent injection patterns, such as unexpected extension activity immediately after visits to untrusted sites, especially where iframes and cross-origin messaging are common.

Timeline: When Was ShadowPrompt Reported and Patched?

Key dates from reporting:

Dec 26-27, 2025: Responsible disclosure to Anthropic reported.
Feb 19, 2026: Arkose Labs XSS fix reported.
Mar 26, 2026: Public media coverage described the ShadowPrompt chain.
Extension patch: Reported as v1.0.41, with the exact ship date not specified in the coverage.

If your organization depends on the Claude Chrome extension, the immediate control is straightforward: verify deployed extension versions and enforce updates, because the exploit path started with nothing more than visiting a webpage.

SOCRadar’s Attack Surface Management, Digital Footprint

Because modern browser-based AI tools can interact with trusted web sessions, organizations need visibility beyond the vulnerability itself. SOCRadar Cyber Threat Intelligence helps security teams track newly disclosed flaws, understand real-world risk, and prioritize action faster, while Attack Surface Management supports continuous monitoring of exposed internet-facing assets and third-party dependencies that may increase exposure. Together, they help defenders move from patch awareness to practical risk reduction.