SHADOWPROMPT refers to a zero-click prompt injection chain that affected Anthropic’s Claude Chrome extension, where simply visiting a malicious webpage could cause Claude to receive and act on attacker-supplied prompts appearing to originate from the user.
The chain combined a web security flaw (XSS) with an extension trust boundary issue, allowing attacker-controlled content to talk to the extension as a trusted sender across origins matching *.claude[.]ai, via a hidden Arkose Labs CAPTCHA iframe on a Claude-controlled subdomain.
In practice, an attacker could render a crafted prompt to Claude in the user’s context without any user interaction beyond loading the page, potentially exposing conversation history, enabling token theft, or triggering actions on the victim’s behalf. Public reporting described exploitability and impact but did not confirm a specific threat actor or in-the-wild exploitation.
Fixes included Claude Chrome extension version 1.0.41 tightening origin validation to require an exact match to claude[.]ai, and Arkose Labs’ XSS patch dated 19 February 2026, with further guidance for defenders to update, inventory extensions, and monitor for suspicious behaviour. Dec 26–27, 2025 için responsible disclosure was noted, with March 26, 2026 marking broader media coverage.