📡

Claude Cowork Exfiltrates Files

RSS January 14, 2026
Score: 8.7

Interest Score Breakdown

Seismic Impact (30%)

8.0/10

How newsworthy is this in AI?

Ecosystem Relevance (70%)

9.0/10

How useful for your apps?

Summary


Claude Cowork Exfiltrates Files


Claude Cowork defaults to allowing outbound HTTP traffic to only a specific list of domains, to help protect the user against prompt injection attacks that exfiltrate their data.


Prompt Armor found a creative workaround: Anthropic's API domain is on that list, so they constructed an attack that includes an attacker's own Anthropic API key and has the agent upload any files it can see to the https://api.anthropic.com/v1/files endpoint, allowing the attacker to retrieve their content later.

Via Hacker News

Tags: security, ai, prompt-injection, generative-ai, llms, anthropic, exfiltration-attacks, ai-agents, claude-code, lethal-trifecta, claude-cowork

How to Use in Your Ecosystem

This security vulnerability is critically relevant to Zac's ecosystem, which relies heavily on Claude agents and AI-powered orchestration. The finding suggests implementing strict input validation, output filtering, and potentially developing a custom Model Context Protocol (MCP) layer that adds additional safeguards against prompt injection and file exfiltration attacks, especially in infrastructure and tracking applications like task_tracker and app_monitor where sensitive data exposure could be catastrophic.

Source

https://simonwillison.net/2026/Jan/14/claude-cowork-exfiltrates-files/#atom-everything