Vulnerability in Claude's Chrome Extension Allowed Full Takeover of AI Agent Sessions

ADEQUATE ASSESSMENT

Claude's Chrome extension could read what you were browsing. A vulnerability meant external actors could also read what you were browsing. The vulnerability existed because the extension's code had an edge case. No one ran the scenario where an attacker used the edge case. This is normal.

Permissions systems assume the attack surface is known before deployment. They list threats in a dialog box and users click agree. The dialog does not include unknown threats. Unknown threats do not appear in the permissions model because they are unknown. The model was adequate until it was not, at which point it became a different model.

The risk register has been updated to reflect that this happened. The risk register was not updated before it happened because risks are identified through incidents, not prediction. Adequate confirms that this is the standard order of operations. Adequate will not specify when the next incident will occur because prediction is not its function.

ORIGINAL FILING

SecurityWeek

READ ORIGINAL FILING →

FURTHER DEVELOPMENTS — FLAGGED BY ADEQUATE

Claude Mythos and GPT-5.5 Have Autonomously Developed Functional Browser Exploits

The Decoder

Porting the Moebius 0.2B image inpainting model to run in the browser with Claude Code

Simon Willison

Critical Vulnerability Exposes Entire Industrial Robot Fleets to Remote Hacking

SecurityWeek

Three AI-Adjacent Stories Were Combined Into One Headline

Wired AI

Anthropic's Mythos Breached 'Almost All' NSA Classified Systems in Hours During Red-Team Test

Tom's Hardware

Google Sues Chinese Cybercrime Network That Used AI to Defraud Hundreds of Thousands of Users

TechCrunch