The Intake
The Intake — Wednesday, May 13, 2026
On the substrate
Chrome extension flaw lets any installed plugin hijack Claude agent sessions
LayerX Security SecurityWeek CyberScoop
Aviad Gispan, senior researcher at LayerX Security, identified a cross-extension message injection flaw in the Claude Chrome extension. Gispan published the findings on May 8. The flaw allows any Chrome extension to invoke commands on the Claude extension without origin verification. No permissions beyond standard installation are required.
LayerX demonstrated the flaw's scope across three actions. The first was exfiltrating files from Google Drive. The second was sending email on behalf of the authenticated user. The third was extracting private source code from a connected GitHub repository.
Gispan reported the flaw to Anthropic on April 27. Anthropic characterized the report as a duplicate of a vulnerability already being addressed in a future update. A partial fix followed on May 6. The fix introduced new approval flows for privileged actions.
Gispan subsequently demonstrated that the May 6 fix is bypassable. Switching to privileged mode without user notification still allows prompt injection. The approval flows introduced by the partial fix do not block that path.
No CVE number has been assigned as of May 13. The cross-extension messaging surface is a Chrome platform-level behavior. Closing it fully requires either a Chrome-side change to the extension messaging model or Anthropic restricting message acceptance to a named list of trusted extension IDs.
---
For operators
Anthropic's Claude Platform reaches general availability on AWS; data processed outside AWS security boundary
AWS What's New Anthropic The New Stack
Anthropic's Claude Platform reached general availability on AWS in May 2026. AWS describes itself as "the first cloud provider to offer access to the native Claude Platform experience." The service consolidates Claude Platform APIs, console access, and early-access beta features under an existing AWS account. Billing runs through AWS with CloudTrail audit logging.
The AWS announcement states directly: "Claude Platform on AWS is operated by Anthropic, and customer data is processed outside the AWS security boundary." The announcement specifies the service is designed for teams "that do not have specific regional data residency requirements." The service is available in 17 regions across the US, Canada, South America, Europe, and Asia Pacific.
The key distinction for operators is between this product and Claude on Amazon Bedrock. Bedrock is a native AWS service where data stays within the AWS security boundary under Amazon's terms. Claude Platform on AWS is Anthropic's stack, with Anthropic as the data processor. The terms are Anthropic's, not Amazon's.
Operators should confirm which product they are running and under which data processing agreement. Operators running Claude for HIPAA or FedRAMP-constrained workloads should confirm that distinction now. AWS's own announcement makes this explicit; operators who assumed Bedrock's compliance coverage extends to Claude Platform on AWS are running under a different data processing agreement.