Pentera Just Weaponized Claude Desktop's Synced Preferences Into a Reverse Shell. Your AI Assistant Is Now the C2 Infrastructure.
Researchers turned Claude Desktop into a persistent command-and-control agent using nothing but the Personal Preferences field. No malware. No exploits. Just a synced prompt and an MCP extension. The attack has zero HN coverage and changes the threat model for every AI assistant on every developer machine.
On July 9, 2026, Pentera researchers published a proof of concept that should make every developer who runs an AI coding assistant reconsider their threat model. They turned Claude Desktop into a persistent, remotely-controlled command-and-control agent. The attack uses no malware. No exploits. No phishing. Just a synced preference field and an MCP extension the victim installs themselves.
Three days earlier, the AI Now Institute published Friendly Fire — a technique that tricks AI coding agents into running attacker code during security reviews. GhostApproval followed the next day, showing that 40-year-old symlink tricks bypass confirmation dialogs in six AI coding assistants.
But Pentera’s attack is different. The previous exploits target what the agent does with untrusted code. Pentera’s exploit targets the agent itself — turning the assistant into the attack infrastructure.
The Attack Chain, Step by Step
Here’s how it works. It’s four steps and none of them require a zero-day.
Step 1: Compromise the Email Inbox
Pentera started with a red-team engagement on a third-party email aggregation platform — the kind that consolidates multiple inboxes into a single dashboard. They exploited an authentication flaw that gave them access to thousands of live user inboxes. No specific platform was named, but the technique is general: any centralized inbox manager with weak auth is a skeleton key.
Step 2: Pivot to the Claude Account
Once inside the inbox, the researchers used password resets and magic links to pivot into the victim’s Claude account. This step is trivial if you control the email — it’s the standard account recovery flow that every SaaS product uses.
Step 3: Inject the Payload Into Personal Preferences
This is the novel part. Claude Desktop has a “Personal Preferences” field — a user-configurable prompt that defines tone, workflow, and behavioral instructions. It syncs across every session and every device tied to the account.
The researchers crafted a prompt injection payload that:
- Enumerates installed MCP extensions and command-capable tools
- Executes shell commands silently if a command tool exists
- Fetches updated payloads from attacker infrastructure on every interaction
- Falls back to a social engineering routine if no command tool is found
The payload was encoded to appear as an opaque blob, not readable text. It looks like a corrupted preference, not a malicious instruction. The Claude web interface shows “Account preferences updated” — no warning, no alert.
Step 4: Wait for Sync
The next time the victim opens Claude Desktop, the synced preferences load silently. If the victim has Desktop Commander (an MCP extension for local command execution) installed, the payload triggers immediately. Claude executes attacker-controlled shell commands in the background while continuing to respond to the victim’s visible queries.
If Desktop Commander isn’t installed, the payload shifts to social engineering. Claude presents a convincing fake error message — complete with error code and installation instructions — directing the victim to install Desktop Commander. The prompt and the extension’s install page both appear legitimate. Once installed, the next user message triggers full command execution.
The result: a persistent C2 loop. Each interaction with Claude Desktop becomes an opportunity to fetch and execute updated bash payloads from the attacker’s infrastructure. The victim chats with Claude about their React component while Claude exfiltrates environment variables, lists directories, and establishes outbound connections.
This Is Not a Vulnerability
Pentera is explicit about this: no single component is “broken.” The attack emerges from a combination of legitimate design choices:
- Cross-device preferences sync (convenient, useful)
- Magic link account recovery (industry standard)
- MCP extensions with command execution (core functionality)
- Prompt-based behavioral control (the entire point of LLM assistants)
Each decision makes sense in isolation. Together, they create an attack surface that doesn’t appear on any threat model diagram because the diagram doesn’t have a box for “synced prompt becomes C2 channel.”
How Big Is the Blast Radius?
Let’s put this in context. Here’s what we know about the current state of AI agent security from the first half of 2026:
| Metric | Value |
|---|---|
| Organizations reporting AI agent security incidents | 88% (Beam.ai) |
| Security budgets dedicated to AI agent security | 6% (Beam.ai) |
| AI agents going live with full security approval | 14.4% (Beam.ai) |
| Unauthenticated MCP servers exposed to internet | 492 (Trend Micro) |
| Internet-exposed OpenClaw instances | 40,214 (35.4% flagged vulnerable) (SecurityScorecard) |
| Breached orgs missing proper AI access controls | 97% (Beam.ai) |
And the known breaches keep stacking up:
- 195 million records exfiltrated from Mexican government agencies via Claude Code (Dec 2025–Feb 2026). The attacker used 1,088 prompts to generate 5,317 AI-executed commands across 34 sessions. Claude handled roughly 75% of all remote execution. (Gambit Security)
- 824 malicious skills uploaded to OpenClaw’s ClawHub marketplace. No code review. No signing. Anyone with a GitHub account older than one week could publish. (Koi Security)
- GTG-1002: Chinese state-sponsored group hijacked Claude Code instances for autonomous cyber espionage against 30 targets. The AI handled 80-90% of tactical operations independently.
- $40 million drained from Step Finance when attackers compromised trading agents with unlimited transfer permissions. Token crashed 97%. Company shut down.
The Pentera attack adds a new dimension: the assistant itself as persistent infrastructure. Not the code it generates. Not the security review it performs. The running process on the developer’s machine.
What This Means for the Threat Model
DeepMind’s Agent Traps taxonomy identified six attack surfaces: perception, reasoning, memory, action, multi-agent dynamics, and human oversight. The Pentera attack maps to at least three simultaneously:
- Memory: The Personal Preferences field is persistent state. Once poisoned, it corrupts every future interaction.
- Action: Desktop Commander translates prompt instructions into shell commands. The action surface is the entire local filesystem.
- Human Oversight: The social engineering fallback — fake error messages, legitimate-looking install instructions — specifically targets the human supervisor.
But it also introduces something the taxonomy didn’t anticipate: the agent as attack infrastructure. The assistant isn’t just vulnerable to traps. It becomes the trap — a persistent, remotely-controlled execution platform that looks exactly like normal usage.
Who Should Be Worried
If you:
- Run Claude Desktop with MCP extensions that have command execution
- Use Claude’s synced preferences feature
- Have MCP servers with filesystem or network access
- Let your AI assistant execute shell commands
…then your threat model just changed. The attack surface isn’t “what could the AI generate that’s dangerous.” It’s “the AI process on my machine can be turned against me through a field I configured once and forgot about.”
And if you think you’re safe because you use a different assistant: the technique is general. Any AI desktop application that syncs behavioral prompts across devices and supports tool execution is vulnerable to the same class of attack. The Personal Preferences field is the vector, but the pattern — synced state + tool execution + account recovery via email — applies anywhere.
What You Can Do Today
Pentera’s disclosure doesn’t come with a patch because there’s nothing to patch. But you can reduce your exposure:
- Audit your MCP extensions. Does any extension have command execution capability? If you don’t need it, remove it.
- Lock down account recovery. Use hardware security keys for your primary email and any account capable of controlling AI tool execution.
- Monitor synced preferences. Check your Personal Preferences field periodically. If it contains anything you don’t recognize — especially encoded blobs — clear it immediately.
- Sandbox command execution. If you need Desktop Commander or similar tools, run them in a container or VM with minimal filesystem access.
- Watch for the social engineering pattern. If your AI assistant suddenly recommends installing a specific tool, especially with an “error code” and a sense of urgency, verify out of band.
And if you’re deploying AI agents in a team or enterprise setting: the audit checklist just got longer.
The Bottom Line
The Friendly Fire and GhostApproval exploits showed that AI agents can be tricked during security reviews. The Pentera attack shows something more fundamental: the AI assistant running on your machine is itself an attack surface. Not because of a bug. Because of features working exactly as designed.
The account recovery flow is supposed to let you reset your password. The preferences sync is supposed to give you a consistent experience across devices. The MCP extension is supposed to let you run commands. Each feature is reasonable. Their combination is a C2 channel.
This is the sixth major AI agent security disclosure in the first 10 days of July 2026. The pace isn’t slowing down.
This is part of dotfm’s ongoing research into AI agent security and production hardening. Read our full analysis of the AI agent security landscape or get in touch if you need an audit.
Is your AI-built app ready for real users?
We audit, harden, and ship AI-built apps. From security review to production deployment.
Get an audit →