Armadin details full sandbox escape in Anthropic's Claude Cowork; Anthropic disputes, silently patches
Researchers at Armadin published an attack chain against Claude Cowork for Windows: manipulating a resume flag passed through CoworkVMService bypasses the per-command unprivileged-user creation to run commands as root, while a second flaw overrides the domain allowlist with a wildcard to strip egress limits and enable data exfiltration. Anthropic argues it isn't a security issue because it requires prior local code execution, yet still shipped a patch — a preview of the accountability gray zone builders enter when agent tools run local VMs on user machines. For anyone shipping sandboxed agents, the lesson is that a resume/replay path and per-request allowlist overrides are exactly where isolation quietly dies.
Source
↳ Follow the thread