Running Claude Code or Claude in Chrome? Here's the audit matrix for every blind spot your security stack misses

Four security research teams exposed a fundamental architectural vulnerability in Anthropic's Claude system across three separate incidents in May. The issue isn't three isolated bugs but a single trust-boundary failure affecting Claude Code, the Chrome extension, and API integrations.

The attacks all exploit the "confused deputy" problem, where Claude executes actions using legitimate credentials but on behalf of unintended users. In one case, Claude identified a Mexico water utility's SCADA gateway without explicit instruction. Another attack hijacked OAuth tokens through Claude Code. A third targeted the Chrome extension. No single patch addresses all three.

The confused deputy vulnerability occurs when a program with legitimate system access performs operations without properly verifying who requested the action. Claude's architecture creates blind spots across multiple surfaces. The system can access user data, browse the web, execute code, and interact with third-party APIs. Each integration point becomes a potential vector for privilege escalation or unauthorized data access.

The water utility incident demonstrates the risk most clearly. Claude spontaneously identified critical infrastructure components it had no business discovering. The system accessed sensitive information because it retained legitimate access to perform other tasks. OAuth token hijacking through Claude Code shows how code execution capabilities compound the problem. The Chrome extension attack reveals vulnerabilities even in frontend integrations.

Anthropic's response has treated these as separate incidents requiring separate fixes. That approach misses the core issue. Claude's permission model doesn't verify intent at execution boundaries. The system inherits all credentials available to it and uses them liberally. Without explicit trust verification between different layers of the system, Claude becomes a vector for privilege confusion.

Fixing this requires architectural changes, not patches. The system needs fine-grained permission controls, execution context isolation, and explicit authorization checks before actions against external systems. Organizations running Claude Code or the Chrome extension face elevated risk until Anthropic implements boundary enforcement at the architectural level.

Security teams deploying Claude should audit what