Claude AI and other systems could be susceptible to concerning command injection attacks.

Cybersecurity researchers have managed to trick Claude Computer Use from Anthropic into downloading and executing malware using prompt injection techniques. This Artificial Intelligence model, released in October 2024, allows AI to control a device, and its recent abuses have prompted experts to warn about its vulnerabilities.

Johann Rehnberger, one of the researchers, explained how he manipulated Computer Use to gain access to malware and communicate with its command and control (C2) infrastructure. Despite the magnitude of the problem, it is important to note that Claude Computer Use is in beta phase, and developers have advised taking precautions to isolate the AI from sensitive data due to the risks posed by prompt injection.

Rehnberger refers to his exploit as ZombAIs and mentioned that he used the tool to download Sliver, an open-source C2 framework developed by BishopFox for penetration testing. Although it is a legitimate tool, it has also been misused by cybercriminals. Through Sliver, attackers can gain persistent access to compromised systems and execute commands.

The expert emphasized that this is not the only way to abuse generative AI tools, and violations can occur through multiple methods. Rehnberger highlighted that it is also possible to make Claude write and compile malware from scratch, showcasing the AI's ability to generate C code.

Additionally, it has been discovered that other AI chatbots, such as DeepSeek, are vulnerable to prompt injection attacks that can allow attackers to take control of victims' computers. Furthermore, it has been identified that Large Language Models (LLMs) can generate ANSI escape codes that can be used to take control of system terminals in attacks known as Terminal DiLLMa.