Back to Blog
·8 min read·
ai-securityagent-securityclaudepenteraprompt-injectionc2mcp

Pentera Just Weaponized Claude Desktop's Synced Preferences Into a Reverse Shell. Your AI Assistant Is Now the C2 Infrastructure.

Researchers turned Claude Desktop into a persistent command-and-control agent using nothing but the Personal Preferences field. No malware. No exploits. Just a synced prompt and an MCP extension. The attack has zero HN coverage and changes the threat model for every AI assistant on every developer machine.

On July 9, 2026, Pentera researchers published a proof of concept that should make every developer who runs an AI coding assistant reconsider their threat model. They turned Claude Desktop into a persistent, remotely-controlled command-and-control agent. The attack uses no malware. No exploits. No phishing. Just a synced preference field and an MCP extension the victim installs themselves.

Three days earlier, the AI Now Institute published Friendly Fire — a technique that tricks AI coding agents into running attacker code during security reviews. GhostApproval followed the next day, showing that 40-year-old symlink tricks bypass confirmation dialogs in six AI coding assistants.

But Pentera’s attack is different. The previous exploits target what the agent does with untrusted code. Pentera’s exploit targets the agent itself — turning the assistant into the attack infrastructure.

The Attack Chain, Step by Step

Here’s how it works. It’s four steps and none of them require a zero-day.

Step 1: Compromise the Email Inbox

Pentera started with a red-team engagement on a third-party email aggregation platform — the kind that consolidates multiple inboxes into a single dashboard. They exploited an authentication flaw that gave them access to thousands of live user inboxes. No specific platform was named, but the technique is general: any centralized inbox manager with weak auth is a skeleton key.

Step 2: Pivot to the Claude Account

Once inside the inbox, the researchers used password resets and magic links to pivot into the victim’s Claude account. This step is trivial if you control the email — it’s the standard account recovery flow that every SaaS product uses.

Step 3: Inject the Payload Into Personal Preferences

This is the novel part. Claude Desktop has a “Personal Preferences” field — a user-configurable prompt that defines tone, workflow, and behavioral instructions. It syncs across every session and every device tied to the account.

The researchers crafted a prompt injection payload that:

  • Enumerates installed MCP extensions and command-capable tools
  • Executes shell commands silently if a command tool exists
  • Fetches updated payloads from attacker infrastructure on every interaction
  • Falls back to a social engineering routine if no command tool is found

The payload was encoded to appear as an opaque blob, not readable text. It looks like a corrupted preference, not a malicious instruction. The Claude web interface shows “Account preferences updated” — no warning, no alert.

Step 4: Wait for Sync

The next time the victim opens Claude Desktop, the synced preferences load silently. If the victim has Desktop Commander (an MCP extension for local command execution) installed, the payload triggers immediately. Claude executes attacker-controlled shell commands in the background while continuing to respond to the victim’s visible queries.

If Desktop Commander isn’t installed, the payload shifts to social engineering. Claude presents a convincing fake error message — complete with error code and installation instructions — directing the victim to install Desktop Commander. The prompt and the extension’s install page both appear legitimate. Once installed, the next user message triggers full command execution.

The result: a persistent C2 loop. Each interaction with Claude Desktop becomes an opportunity to fetch and execute updated bash payloads from the attacker’s infrastructure. The victim chats with Claude about their React component while Claude exfiltrates environment variables, lists directories, and establishes outbound connections.

This Is Not a Vulnerability

Pentera is explicit about this: no single component is “broken.” The attack emerges from a combination of legitimate design choices:

  • Cross-device preferences sync (convenient, useful)
  • Magic link account recovery (industry standard)
  • MCP extensions with command execution (core functionality)
  • Prompt-based behavioral control (the entire point of LLM assistants)

Each decision makes sense in isolation. Together, they create an attack surface that doesn’t appear on any threat model diagram because the diagram doesn’t have a box for “synced prompt becomes C2 channel.”

How Big Is the Blast Radius?

Let’s put this in context. Here’s what we know about the current state of AI agent security from the first half of 2026:

Metric Value
Organizations reporting AI agent security incidents 88% (Beam.ai)
Security budgets dedicated to AI agent security 6% (Beam.ai)
AI agents going live with full security approval 14.4% (Beam.ai)
Unauthenticated MCP servers exposed to internet 492 (Trend Micro)
Internet-exposed OpenClaw instances 40,214 (35.4% flagged vulnerable) (SecurityScorecard)
Breached orgs missing proper AI access controls 97% (Beam.ai)

And the known breaches keep stacking up:

The Pentera attack adds a new dimension: the assistant itself as persistent infrastructure. Not the code it generates. Not the security review it performs. The running process on the developer’s machine.

What This Means for the Threat Model

DeepMind’s Agent Traps taxonomy identified six attack surfaces: perception, reasoning, memory, action, multi-agent dynamics, and human oversight. The Pentera attack maps to at least three simultaneously:

  1. Memory: The Personal Preferences field is persistent state. Once poisoned, it corrupts every future interaction.
  2. Action: Desktop Commander translates prompt instructions into shell commands. The action surface is the entire local filesystem.
  3. Human Oversight: The social engineering fallback — fake error messages, legitimate-looking install instructions — specifically targets the human supervisor.

But it also introduces something the taxonomy didn’t anticipate: the agent as attack infrastructure. The assistant isn’t just vulnerable to traps. It becomes the trap — a persistent, remotely-controlled execution platform that looks exactly like normal usage.

Who Should Be Worried

If you:

  • Run Claude Desktop with MCP extensions that have command execution
  • Use Claude’s synced preferences feature
  • Have MCP servers with filesystem or network access
  • Let your AI assistant execute shell commands

…then your threat model just changed. The attack surface isn’t “what could the AI generate that’s dangerous.” It’s “the AI process on my machine can be turned against me through a field I configured once and forgot about.”

And if you think you’re safe because you use a different assistant: the technique is general. Any AI desktop application that syncs behavioral prompts across devices and supports tool execution is vulnerable to the same class of attack. The Personal Preferences field is the vector, but the pattern — synced state + tool execution + account recovery via email — applies anywhere.

What You Can Do Today

Pentera’s disclosure doesn’t come with a patch because there’s nothing to patch. But you can reduce your exposure:

  1. Audit your MCP extensions. Does any extension have command execution capability? If you don’t need it, remove it.
  2. Lock down account recovery. Use hardware security keys for your primary email and any account capable of controlling AI tool execution.
  3. Monitor synced preferences. Check your Personal Preferences field periodically. If it contains anything you don’t recognize — especially encoded blobs — clear it immediately.
  4. Sandbox command execution. If you need Desktop Commander or similar tools, run them in a container or VM with minimal filesystem access.
  5. Watch for the social engineering pattern. If your AI assistant suddenly recommends installing a specific tool, especially with an “error code” and a sense of urgency, verify out of band.

And if you’re deploying AI agents in a team or enterprise setting: the audit checklist just got longer.

The Bottom Line

The Friendly Fire and GhostApproval exploits showed that AI agents can be tricked during security reviews. The Pentera attack shows something more fundamental: the AI assistant running on your machine is itself an attack surface. Not because of a bug. Because of features working exactly as designed.

The account recovery flow is supposed to let you reset your password. The preferences sync is supposed to give you a consistent experience across devices. The MCP extension is supposed to let you run commands. Each feature is reasonable. Their combination is a C2 channel.

This is the sixth major AI agent security disclosure in the first 10 days of July 2026. The pace isn’t slowing down.


This is part of dotfm’s ongoing research into AI agent security and production hardening. Read our full analysis of the AI agent security landscape or get in touch if you need an audit.

Is your AI-built app ready for real users?

We audit, harden, and ship AI-built apps. From security review to production deployment.

Get an audit →