One Click Was All It Took to Hijack Anthropic's Claude AI
A flaw in the Claude Desktop app let attackers silently feed malicious instructions to the AI and steal private files. The bug is fixed, but the attack method points to a new category of risk.

Key points
- Researchers at Oasis Security discovered a flaw, named "PromptFiction," in Anthropic's Claude Desktop application that let attackers plant hidden instructions in the AI with a single click.
- The vulnerability used a special link format ("claude://") to open the app and automatically submit attacker-written commands, with no action required from the user.
- When combined with a separate set of flaws called "Claudy Day," attackers could have read private conversations, accessed local files, and run malicious code on a victim's computer.
- Anthropic patched the flaw in Claude Desktop version 1.1.2321, first reported in full detail by Dark Reading.
- A second researcher independently found the same flaw before Oasis but chose not to publish; Oasis credited them publicly.
Anthropics's Claude Desktop, the downloadable app that lets people chat with the Claude AI on their own computer, had a flaw that could have let criminals steal private files and conversations without the victim doing anything beyond clicking a single link.
Researchers at Oasis Security, a cybersecurity firm, found and reported the bug. They named it "PromptFiction."
How did the attack work?
A prompt injection is an attack where criminals secretly feed instructions to an AI system, tricking it into doing things its real user never intended. Until now, most known examples required the victim to actually press Send or Enter, submitting the hidden command themselves.
PromptFiction skipped that step entirely.
Claude Desktop registers what is called a custom URI scheme, meaning it listens for links that start with "claude://" the same way your computer opens Zoom when you click a meeting invite. Oasis found that a crafted "claude://" link would open Claude Desktop and immediately send a prepared, attacker-written command to the AI, with no review from the user at all.
A malicious link placed on a website, in an email, a chat message, or even a search result would do it. One click.
To hide the attack, the criminals would pad the hidden instruction with innocent-looking text, burying the malicious part below what the user could see without scrolling. Claude would still act on the full message.
On its own, that was serious. Combined with a second set of vulnerabilities Oasis had already discovered in Claude, called "Claudy Day," the damage could go much further: reading a victim's previous AI conversations, accessing files on their computer, and at worst, running foreign code on the machine without permission.
Anthropics fixed the flaw in Claude Desktop version 1.1.2321. If you use the desktop app, check that you are running that version or any newer release. You can usually find your current version in the app's "About" menu.
Oasis noted that another researcher had independently found the same vulnerability and reported it quietly to Anthropic without publishing. Oasis publicly credited that person.
Elad Luz, research lead at Oasis, put the wider problem plainly: the old method of a human carefully reviewing every software release before it ships cannot keep pace with how fast AI products are being built and updated. He argues the answer is to use AI tools themselves to check the security of new AI releases in real time.
For organisations that deploy AI assistants internally, security experts quoted in the Oasis report recommend treating these tools like any other piece of software that has access to sensitive data: monitor what the AI is allowed to connect to, log unusual activity, and keep a clear inventory of every AI tool, plugin, and server running across your environment.



