Post #8682

@thehackernews

The Hacker News

Views10,500Post view count

PostedMar 2603/26/2026, 03:13 PM

Post content

⚠️ A flaw in Claude’s Chrome extension let attackers inject prompts by just visiting a page. No clicks. A hidden iframe + XSS chain made the extension treat attacker input as real user commands, enabling data theft and actions like sending emails. 🔗 How the silent prompt injection worked → https://thehackernews.com/2026/03/claude-extension-flaw-enabled-zero.html