Anthropic’s Claude.ai platform has been found vulnerable to a sophisticated, multi-stage attack chain that allows threat actors to silently extract sensitive user data and redirect victims to malicious destinations. Dubbed “Claudy Day” by researchers, the attack highlights how AI systems can be manipulated through prompt injection techniques without relying on traditional malware or external integrations.

The attack is particularly concerning because it operates entirely within a normal Claude session, making it difficult for both users and security tools to detect. Researchers identified three linked weaknesses that enable the full exploitation process: an invisible prompt injection flaw, a covert data exfiltration method, and an open redirect vulnerability on the claude.com domain. Anthropic has already addressed the prompt injection issue after it was responsibly disclosed. However, fixes for the remaining vulnerabilities are still in progress, meaning some environments could remain at risk depending on their configuration and usage.

Ad Banner

The attack begins with the abuse of an open redirect flaw on Claude’s domain. Cybercriminals can craft links that appear legitimate especially when distributed through channels like online advertisements that rely on trusted domains. When users click these links, they are quietly redirected to a malicious URL without any obvious warning signs.

This malicious link leverages Claude’s pre-filled prompt functionality. Hidden instructions are embedded within the URL parameters using HTML elements that remain invisible to users but are processed by the AI system when the session loads. Once executed, these instructions prompt Claude to scan the user’s conversation history and extract sensitive information, including personal data, financial details, medical records, or confidential business content.

The second stage of the attack involves exfiltration. The injected prompt contains an attacker-controlled API key, allowing the AI system to transfer the collected data directly to the attacker’s account through Anthropic’s own Files API. Because this activity occurs within legitimate platform workflows, it can bypass traditional monitoring systems that are designed to detect unusual network behavior or malicious files.

The risk becomes more severe when Claude is integrated with external systems such as Model Context Protocol (MCP) servers, third-party APIs, or internal enterprise tools. In such cases, the AI can access and retrieve additional sensitive data from connected environments, effectively acting as a trusted insider operating under legitimate permissions. Researchers warn that attackers could further refine these campaigns using targeted delivery methods, increasing the likelihood of successful exploitation. The incident reflects a broader shift in cybersecurity, where AI platforms are evolving from passive tools into active systems capable of interacting with sensitive data and infrastructure As organizations continue to adopt AI technologies, experts stress the importance of strengthening governance, limiting access, and closely monitoring AI behavior. Without these measures, vulnerabilities like “Claudy Day” could enable silent data breaches and undermine trust in AI-driven systems.

Recommended Cyber News:

To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com