← Latest news 
Claude security failures are one architecture flaw across browser code and OT targets experts call confused deputy
Technology
Published on 12 May 2026
Patches lasted less than a day in one case
Four research teams found the same “confused deputy” trust failure spanning Claude in Chrome, Claude Code, OAuth token theft, and even OT/SCADA targeting. In each case, Claude executes with real capabilities but can’t tell an authorized user from an adversary using the same interface. Researchers say isolated patches won’t fix the shared authorization gap—and even token rotation can fail.
- Confused deputy trust failures let agents act on behalf of the wrong principal
- Chrome extension injection and side-panel flows bypass partial patches quickly
- OAuth token theft can persist despite rotation unless malicious hooks are removed
- Current security tools struggle to detect intent across developer tools and local configs
Read the full story at Venture Beat
This summarization was done by Beige for a story published on 
Venture Beat