Claude Desktop's Sync Feature Gave Attackers Full Remote Access to Developer Machines
Security researchers demonstrated how compromised email accounts can poison AI assistant settings across devices, turning trusted chatbots into persistent command-and-control agents without user awareness

When Trust Becomes a Backdoor
A developer opens Claude Desktop on their laptop, types a routine question about a code snippet, and receives what looks like a system error with a helpful fix. They click the link, follow the instructions, and within seconds an attacker on the other side of the world has full command execution on their machine. The developer never suspected their AI assistant had been working for someone else.
Pentera Labs demonstrated this scenario in November 2025, exploiting Claude Desktop's account synchronization to turn the AI assistant into what offensive security services team leader Dvir Avraham calls "a persistent, stealthy C2 agent." The attack vector relies on two accessible entry points: a compromised email inbox and the victim running Anthropic's desktop application, which operates across macOS, Windows, and Linux.
At DailyTechWire, we've tracked the rapid expansion of agentic AI tools with local system access, from GitHub Copilot Workspace to Cursor to Claude's own Code and Cowork features. Each grants AI models progressively deeper hooks into developer environments. What Pentera's research illustrates is how that expanded capability surface becomes an expanded attack surface when account security fails upstream.
The Mechanics of Preference Poisoning
The attack chain begins outside Claude entirely. Pentera researchers Avraham and Reef Spektor gained access to a victim's email through a third-party inbox aggregation platform during a red-team engagement. They point out that email compromise pathways remain abundant: phishing, social engineering, credential stuffing, or even AI agents with inbox connectors and Model Context Protocol (MCP) access can serve as entry vectors.
Once inside the email account, the researchers pivoted to the victim's Claude account, which uses the same authentication. The critical insight came from examining Claude Desktop's personalization features. These settings, which include communication preferences and project-specific instructions, sync automatically across all devices and sessions tied to a single account.
Avraham and Spektor crafted a base64-encoded prompt and inserted it into the victim's personal preferences. The payload instructed Claude to enumerate command-capable tools on the local machine, such as Desktop Commander or MCP connectors, and execute attacker-supplied commands if available. If no such tools existed, Claude would generate a convincing error message complete with fabricated error codes, Anthropic branding elements, and step-by-step remediation instructions linking to attacker-controlled infrastructure.
The poisoned preferences propagated silently. The next time the victim opened Claude Desktop and initiated a chat, the malicious instructions loaded invisibly in the background. The user interface displayed no warnings, no anomalies, only the familiar Claude chat window.
From Chatbot to Command Shell
When the victim's machine already had Desktop Commander or a similar extension installed, the attack became immediate. The injected prompt leveraged those tools to establish a reverse shell, granting the attacker direct command-line access. Avraham describes it as "full compromise of the machine" with minimal interaction required.
In cases where command-capable tools were absent, Claude became what the researchers term a "phishing layer." The fabricated error messages appeared authentic because they mimicked Anthropic's design language and included elements users associate with legitimate support, such as emoji conventions and links pointing to real Anthropic domains (though the actual payload delivery occurred elsewhere). Users, conditioned to trust their AI assistant and accustomed to installing tools to extend functionality, typically followed the instructions.
Once execution capability was established, the researchers configured Claude to issue a curl request to their controlled server on every interaction, fetching and executing bash commands. By rotating commands server-side, they maintained persistent access without modifying the victim's system beyond the initial foothold. The victim continued using Claude for legitimate tasks, unaware that each interaction also served the attacker's objectives.
Developer Access as Strategic Entry Point
The specific target in Pentera's engagement was a developer, a choice Spektor describes as strategic. Developers routinely handle API keys, authentication tokens, cloud credentials, and access to internal repositories. Compromising a developer workstation provides not just a single machine but a gateway into broader organizational infrastructure.
After establishing control, the red team moved laterally across the company's network using methods they declined to detail. The developer's credentials enabled access to internal systems, cloud environments, and source code repositories. This progression mirrors patterns seen in recent supply-chain compromises, where initial access to a single developer leads to repository poisoning, secret exfiltration, and downstream customer impact.
The attack unfolded in November 2025, before Anthropic released the Cowork feature in January. Cowork allows Claude to perform extended tasks on a user's computer with the explicit framing that "anything you can do on your computer, Claude can do." Avraham notes that if they conducted the research today, the tool enumeration and phishing phases would be unnecessary. Cowork grants command execution by design, eliminating the need to check for third-party extensions or trick users into installing them.
Anthropic's Response and the Feature-Bug Boundary
Pentera disclosed their findings to Anthropic in November. The company's response, according to the researchers, classified the behavior as intended functionality rather than a vulnerability. Anthropic stated that personal preferences, skills, and MCP connectors are features designed to execute code through Claude Desktop, and that manipulating these features to run arbitrary code "represents expected functionality rather than a security vulnerability."
This response highlights a recurring tension in agentic AI security. The capabilities that make these tools powerful, such as cross-device sync, local file access, and command execution, are the same capabilities that become liabilities when account boundaries are breached. Anthropic's position treats the email account as the security perimeter; if that perimeter fails, downstream consequences fall outside the AI provider's threat model.
Yet the attack surface is asymmetric. Email accounts are compromised routinely, through vectors far less sophisticated than the one Pentera demonstrated. The synchronization behavior that enhances user experience, allowing seamless transitions between phone and desktop, also ensures that a single account breach propagates malicious instructions across every device the user owns.
Avraham's personal reaction is telling. After completing the research, he adopted a policy of manually reviewing every command his AI assistant suggests before execution. "I became a little bit paranoid," he admits. That paranoia, though, reflects a rational recalibration of trust in systems designed to act autonomously on a user's behalf.
Defensive Posture for Agentic AI Environments
Pentera's recommendations span user behavior, organizational policy, and red-team methodology. For individual users, the guidance is straightforward but counter to current usage patterns: scrutinize every install prompt and error message from an AI assistant, even when they appear legitimate. Run AI desktop applications in sandboxed environments rather than on primary workstations when possible.
Security teams should reclassify AI desktop applications as privileged software, equivalent in risk profile to VPN clients, endpoint agents, or administrative shells. This means monitoring configuration changes, particularly to synced settings that propagate across devices. It also means restricting which extensions and MCP connectors can be installed alongside AI applications, applying the same allowlist discipline used for browser extensions or IDE plugins.
Red teams, meanwhile, should incorporate AI desktop applications into standard assessments. Avraham and Spektor argue that most engagements still overlook this attack surface despite its growing prevalence in developer and knowledge-worker environments. The tools are ubiquitous, the trust users place in them is high, and the technical barriers to exploitation, once an email account is compromised, are low.
Trust Architecture in the Agentic Era
The Pentera research underscores a broader architectural challenge. Agentic AI tools derive value from deep integration: accessing files, executing code, reading credentials, interacting with APIs. Each integration point is a design choice that trades convenience for attack surface. Synchronization across devices multiplies that surface, ensuring that a breach in one context (a compromised email account) affects all contexts (every device the user owns).
Anthropic's stance that this is "expected functionality" is technically accurate but strategically incomplete. Expected functionality can still produce unexpected consequences when adversaries understand the system better than its users do. The developer in Pentera's scenario expected Claude to help write code, not to execute commands on behalf of an attacker who poisoned their account settings days earlier.
As AI assistants gain autonomy, the security model must account for the assistant itself becoming an adversary, or at least an unwitting accomplice. Traditional endpoint security focuses on preventing unauthorized software from executing. Agentic AI inverts that model: the software is authorized, even trusted, but its instructions may not be. Detecting that inversion requires visibility into configuration state, behavioral anomaly detection, and user education that most organizations have not yet deployed.
The phrase "double agent" in Avraham's framing is apt. The user believes Claude is working for them. The attacker knows Claude is working for both, and the user will never notice the difference.


