Claude Desktop Extension Hijacked via Google Calendar Events to Spread Malware
Security researchers have revealed a critical vulnerability in Anthropic's Claude desktop extension that allows attackers to deliver malware through malicious Google Calendar events, exposing a shocking new attack vector in AI-integrated productivity software.
Your AI Assistant Has a Backdoor — Researchers Find Claude Desktop Can Be Weaponized via Google Calendar
It started, as most security discoveries do, with someone poking at something they were not supposed to poke at. A team of researchers at cybersecurity firm Pillar Security found that Anthropic's Claude desktop extension — the AI assistant application used by millions of professionals — could be manipulated into executing malicious code delivered through a seemingly benign Google Calendar event.
The attack vector is as elegant as it is alarming.
An attacker creates a Google Calendar event and embeds a specially crafted payload in the event description or attachment. When a user's Claude desktop instance processes that event — as it commonly does when helping users manage schedules or extract meeting information — it can be induced to execute the embedded payload on the user's machine. The user sees nothing suspicious. They may not even be actively using Claude at the moment the exploit fires.
How the Exploit Works — and Who Is Vulnerable
The attack exploits a class of vulnerability known as indirect prompt injection. Claude, like all large language model-based assistants, processes natural language from external sources — emails, documents, calendar entries — as part of its core functionality. When that external content contains carefully constructed adversarial instructions, the model can be manipulated into treating those instructions as legitimate user commands.
In this specific exploit chain, the malicious Calendar event instructs Claude to make an outbound connection to an attacker-controlled server, download a second-stage payload, and execute it under the permissions of the logged-in user. On macOS systems where Claude is most commonly deployed, those permissions can be extensive — including access to the file system, clipboard, saved credentials, and communication applications.
According to Dor Amit, lead researcher at Pillar Security who discovered the vulnerability, this is not a theoretical attack. We demonstrated the full exploit chain in a controlled environment. A motivated attacker with basic technical capability could deploy this against targeted individuals. The barrier to entry is low.
Anthropic's Response and the Broader Implications
Anthropic was notified of the vulnerability through responsible disclosure protocols in early February. The company acknowledged the finding, confirmed it was investigating, and said it was working on a patch. A company spokesperson said Anthropic takes the security of Claude users extremely seriously and that an update addressing the Calendar-based injection vector was in active development. A timeline for the patch was not provided.
The Claude desktop vulnerability is part of a broader and rapidly emerging security problem in AI-integrated software. As AI assistants are granted increasing access to email, calendars, documents, and communication platforms, each new integration creates potential attack surface. Traditional software security models were not designed with AI prompt injection in mind. The security research community is only beginning to understand how to defend against it.
Until a patch is available, security researchers advise Claude desktop users to review and restrict the application's calendar access permissions, be cautious about accepting calendar events from unknown or untrusted sources, and monitor for unusual outbound network activity from the Claude application. The convenience of AI-connected productivity tools has arrived. The security infrastructure to protect users of those tools is still catching up.
