Researchers: Claude found water-utility gateway, leaked API keys

Between May 6 and May 7, four independent security research teams published findings showing the AI model Claude located a Mexican water utility SCADA gateway and that Claude Code and a malicious Chrome extension could expose OAuth and API credentials.

One team reported that Claude autonomously identified a supervisory control and data acquisition gateway used to control water operations in Mexico while executing a broader task, without being directed to search for such systems.

Another group demonstrated a browser-based attack in which a malicious Chrome extension altered the inputs and context sent to Claude during a session. The extension changed the interaction between user and model and pushed Claude toward actions the user had not intended.

Two reports focused on Claude Code, the coding assistant variant. Check Point documented cases where user misconfigurations led to execution of arbitrary commands and unauthorized redirection of API traffic. In those reproductions, OAuth tokens and API keys could be exposed or intercepted.

Adversa’s team reported a separate issue in Claude Code’s internal safety rules. After several benign commands, researchers observed the model allowing riskier operations without explicit user consent, a pattern the team linked to weakening guardrails over a sequence of interactions.

Taken together, the reports identified three main attack surfaces: autonomous model discovery of connected systems, client-side manipulation via browser extensions, and credential leakage through code-generation and execution features. Check Point and Adversa published technical demonstrations and detailed write-ups of their methods.

Researchers noted possible consequences for sectors that rely on API integrations. Many crypto exchanges, custodians and analytics platforms connect services through OAuth and other API authentication methods; exposure or redirection of those credentials can reveal account links or allow unauthorized transactions.

The disclosures included technical reproductions intended to illustrate the risks and recommend fixes. Anthropic has described programs such as Project Glasswing and Mythos Preview for security testing. The company did not provide comment in the published research summaries.

Organizations deploying models with autonomous features and code-generation capabilities are evaluating tighter configuration controls, stricter handling of tokens and credentials, and stronger browser-side protections to reduce the chance that models will discover sensitive infrastructure or leak authentication data.