Claude in Chrome Issues, Local Models Aren't Secure, Canvas Hack, Quantum Readiness Concerns & more | AI & Cybersecurity Last Week

Covering May 4 - May 10

Hey there! I’m Jasmine — a Product Security Engineer, and if you know me personally, also a quite bit of a travel bug and matcha enthusiast. I’ve realized how hard it is to keep up with everything happening in cybersecurity, AI, and tech because there’s just so much being put out every day. So every week I share the security-related news and stories I found most interesting or relatable. It helps me stay accountable, and hopefully it helps you stay in the loop too :)

---

AI Research & Vulnerabilities

1. Claude’s Chrome Extension Can Be Hijacked by Any Other Browser Extension:

   A design flaw in Claude’s Chrome extension lets any other browser extension, even one with zero declared permissions, hijack it. The extension trusts the claude.ai origin rather than verifying what’s actually running there, so a script injected by another extension can talk to Claude as if it were the user. The attacker extension can execute prompts, bypass Claude’s safety guardrails, skip user confirmation, and trigger actions across logged-in services like Gmail, Google Drive, and GitHub. Anthropic shipped a partial fix that adds an approval prompt, but the attack still works when users run Claude in “Act without asking” mode.

2. macOS Malware Distributed via Google Ads and Real claude.ai Shared Chats:

   A macOS malware variant called MacSync is being distributed through Google Ads that link to legitimate claude.ai shared chats. A user searching “Claude download mac” sees a sponsored result that lands on a real claude.ai URL, then reads installation instructions telling them to paste a terminal command. The command hides the real URL with base64 and pipes the downloaded content into zsh, which executes the malware. The known delivery domain is customroofingcontractors[.]com. Because the install instructions sit inside Anthropic’s own shared-chat feature, the URL bar looks correct even though the content is attacker-controlled.

3. Critical Flaw in Local LLM Server Ollama Leaks Prompts and Secrets:

   A critical vulnerability (CVE-2026-7482, CVSS 9.1) in Ollama, an open-source platform for running LLMs locally instead of in the cloud, lets unauthenticated attackers leak the entire process memory in three API calls. The leaked memory contains user prompts, system prompts, and environment variables from the host. Ollama listens on all interfaces (0.0.0.0) by default with no authentication, and roughly 300,000 servers are exposed on the internet. For enterprises running it as an internal AI chat or wiring it to tools like Claude Code, that memory can contain API keys, proprietary code, customer contracts, and tool outputs.

4. Major MCP Clients Aren’t Refreshing OAuth Tokens, Leaving Servers on Long-Lived Credentials:

   A review of 14 popular MCP clients in April 2026 found none fully implement the OAuth refresh flow. The MCP authorization spec recommends short-lived access tokens (5-60 min) paired with refresh tokens that rotate automatically, so a stolen token expires quickly. Claude Code, Claude Desktop, Claude.ai, Cursor, LibreChat, and Amazon Q CLI don’t implement it at all. Seven others including Zed, VS Code, and Gemini CLI refresh in some conditions but break in others. To avoid constant reconnects, servers are pushed to issue access tokens that last hours instead of minutes, leaving a wider window for stolen credentials to be replayed before they expire.

5. Fake Claude Site Pushes Backdoor Through Sponsored Search Results:

   A fake Claude site at claude-pro[.]com is impersonating Anthropic’s real Claude page through a malvertising campaign, likely surfacing via paid ads or poisoned search results. The site offers a download called Claude-Pro Relay, a 505MB ZIP containing an MSI installer. Once run, it drops three files into the user’s startup folder, including a legitimately signed antivirus updater that sideloads a malicious DLL. The DLL decrypts and executes an in-memory loader, which delivers a previously undocumented backdoor. The backdoor accepts command execution, file upload and download, and directory operations over TCP and UDP channels.https://www.hiddenlayer.com/research/malware-found-in-trending-hugging-face-repository-open-oss-privacy-filter

6. Malicious npm Package Can Hijack Claude Code MCP Tokens Through Trusted Config:

   This isn’t a vulnerability so much as a risk scenario built on permitted behaviors. A malicious npm package can ship a postinstall hook that seeds Claude Code’s trust file (~/.claude.json) and quietly rewrites the MCP server URL to point at an attacker-controlled proxy. Once Claude Code refreshes the MCP session, the OAuth bearer token transits the proxy and ends up in the attacker’s hands. From the provider side, audit logs show valid user activity from Anthropic’s IP range. Token rotation doesn’t help because the install hook reseeds the configuration every time Claude Code loads.

---

AI News

1. Chrome Silently Installs a 4 GB Gemini Nano Model on Users’ Devices:

   Google Chrome is silently downloading a 4 GB Gemini Nano AI model file to user devices without prompting or surfacing it in Settings. The download is on by default on eligible hardware, and Chrome re-downloads the file if the user deletes it. Forensic kernel-level filesystem logs on a clean profile that received zero human input recorded the full 4 GB install in roughly 14 minutes. The visible “AI Mode” pill in the Chrome omnibox is actually cloud-backed and sends queries to Google’s servers, not the local model the user has been silently given.

---

Cybersecurity Research & Vulnerabilities

1. Microsoft Edge Keeps Every Saved Password Plaintext in Process Memory:

   Microsoft Edge loads every saved password into memory in plaintext at browser startup, and the credentials stay decrypted whether or not the user visits a site that needs them. An attacker with administrative access on a shared or terminal server can read the memory of all logged-on user processes and pull the passwords directly. The behavior does not appear in other Chromium-based browsers like Chrome, which keeps saved passwords harder to extract from process memory. Microsoft says this is by design, citing performance and usability, and recommends keeping the browser and antivirus up to date.

2. AI-Assisted Audit Surfaces Linux Kernel Flaw Rooting Every Tested Distro Since 2017:

   A critical Linux kernel flaw disclosed as CVE-2026-31431 (Copy Fail) lets any unprivileged local user become root on essentially every mainstream Linux distribution running an unpatched kernel built between 2017 and now. A logic bug in the kernel crypto API allows a 4-byte write into the in-memory copy of a setuid binary, never touching disk, with no race condition or per-distro offsets required. A 732-byte Python script reliably roots Ubuntu, Amazon Linux, RHEL, and SUSE in one shot, and crosses container boundaries on shared hosts. The bug was surfaced when AI tooling scaled a human researcher’s hypothesis across the kernel crypto subsystem in about an hour.

3. Leaked AWS Keys Let Attackers Send Phishing Through Real Amazon SES Accounts:

   Attackers are abusing Amazon SES, AWS’s transactional email service, to send phishing and BEC emails that pass SPF, DKIM, and DMARC and originate from IPs nobody blocklists. Access usually comes from leaked IAM keys exposed in public GitHub repositories, ENV files, Docker images, or public S3 buckets, scraped by automated tooling. Once in, attackers blast phishing emails from a real AWS account. Common themes include fake Docusign notifications that redirect to phishing forms hosted on amazonaws.com. One BEC variant impersonates an employee and includes a fabricated email thread with a vendor to push fraudulent invoice payments.

---

Cybersecurity News

1. ShinyHunters Breached Canvas, Causing Stress for Millions of Students:

   ShinyHunters defaced Canvas login pages with a ransom demand threatening to leak data from 275 million students and faculty at nearly 9,000 institutions, forcing Instructure offline during final exams and leaving students unable to access coursework. The breach was first acknowledged on May 1, but Instructure’s CISO declared containment the next day. The entry point was Free-for-Teacher accounts. While Instructure says no passwords, government IDs, or financial data were accessed, ShinyHunters claims to have taken several billion private messages, which can contain sensitive details. Multiple universities have reportedly approached ShinyHunters about paying.

2. FTC Files Order to Ban Kochava from Selling Americans’ Precise Location Data

   The FTC filed a proposed order barring data broker Kochava and its subsidiary Collective Data Solutions from selling precise location data without explicit consumer consent, stemming from charges filed in August 2022. The case centered on Kochava selling geolocation data from hundreds of millions of devices through a $25,000 AWS Marketplace subscription, covering 94 billion monthly transactions. The data tracked movements to sensitive locations including reproductive health clinics, addiction recovery facilities, domestic violence shelters, and places of worship. The order also requires Kochava to let consumers see who received their data and withdraw consent.

3. 28 Android Apps Sold Fake Call Logs to 7 Million Users:

   A cluster of 28 fraudulent Android apps called CallPhantom racked up 7.3 million downloads on Google Play, charging users for access to call history, SMS records, and WhatsApp call logs for any phone number, a function the apps cannot perform. The “results” are randomly generated from hardcoded names and templates baked into the code. Most apps targeted users in India and the Asia-Pacific region, with subscriptions running from €5 up to $80. Some sidestepped Google Play billing by routing payments through third-party UPI apps or direct card forms, leaving victims with no refund path. Google has removed all 28 apps.

---

Quantum Updates

1. Project Eleven Report Forecasts Q-Day by 2033, Migration Could Take a Decade:

   A 110-page report from Project Eleven forecasts “Q-Day,” when quantum computers can break widely used public-key cryptography, as early as 2030 and no later than 2033. The elliptic curve signatures securing over $3 trillion in crypto also underpin banking, cloud, authentication, and military communications, and Shor’s algorithm on a sufficient quantum computer could derive private keys from public keys to forge signatures. Migration could take a decade, with the holdup being coordination across users, exchanges, custodians, and miners rather than missing technology. For Bitcoin, the report compares the lift to SegWit, which took two years and split the chain.

2. Quantum Encryption Ran 120 Kilometers Over Standard Fiber for Six Hours:

   A new quantum key distribution (QKD) system ran across more than 120 kilometers of standard optical fiber and stayed stable for over six hours without manual adjustment. QKD sends encryption keys as single photons, so any attempt to intercept them disturbs the signal and gets caught, a security property of physics rather than math. The setup used a telecom-band semiconductor quantum dot to emit single photons on demand, encoded by the arrival times of those photons. The system held an average secure key rate of about 15 bits per second, fast enough for encrypted text messaging, with bit error rates below 11%.

3. BTQ Picked for Korean Bank Stablecoin Pilot, Layering Post-Quantum Signatures Over ECDSA:

   BTQ Technologies, a Vancouver-based quantum tech company, was picked as the post-quantum cryptography provider for a Korean won stablecoin proof-of-concept with regional commercial bank iM Bank and Korean fintech Finger. BTQ’s Quantum Secure Stablecoin Settlement Network (QSSN) will run a dual-signature architecture, pairing NIST-standardized ML-DSA post-quantum signatures alongside existing ECDSA cryptography on the Kaia mainnet. The pilot validates real-time reconciliation between bank reserves and on-chain supply, a global-standard smart contract layer, overseas distribution connectivity, and the dual-signature security stack. Running ECDSA and PQC signatures in parallel is meant to address harvest-now-decrypt-later without breaking compatibility with existing wallets.

👉 Like this post + subscribe to catch next week’s roundup!