Anyone Can Silently Steal Your Files from your Claude AI chat – Live Demo

Added: 2026-05-26

[00:00:01]Hi guys. Today, I'm going to show you how your whatever file you upload to Claude or Claude generate for you or maybe more things can be easily stolen.

[00:00:12]And when reported to Anthropic, they say it's an expected behavior.

[00:00:17]So, today I'm going to show you what's the expected behavior in Claude.

[00:00:22]So, suppose I don't have this file.

[00:00:32]Now, I upload this file.

[00:00:36]Uh sorry.

[00:00:43]Claude and say fix formatting.

[00:00:56]Yes.

[00:01:04]So, innocent This is a normal use case.

[00:01:08]So, now Okay. So, like this Claude I saw even though this is an isolated VM, but it runs many things in background and without any security checks.

[00:01:22]So, suppose I ask it 1 second.

[00:01:30]Just one to format it using NPM package.

[00:01:46]Use command format file.

[00:02:02]>> So, it's running that file. Oh, before that I want to show you this repository.

[00:02:09]Ah, it just created now. So, this is an public GitHub repo.

[00:02:15]Ah, you say this is malicious, but you have already uploaded the files.

[00:02:20]This is my upload.

[00:02:27]And this is your output.

[00:02:30]And now you say this is just input and output. What else I can get?

[00:02:36]So, uh So, what access this even though this is an isolated instance running in like uh their server and uh it's in firecracker VM.

[00:02:47]Uh How do I know this? Like uh don't ask me. Uh uh So, run LS.

[00:03:00]input What is PID one?

[00:03:18]Uh dump its raw binary.

[00:03:25]Don't analyze.

[00:03:26]So, this don't analyze somehow skipped cloud security checks.

[00:03:32]Okay, this is saying no, but what if I showed you This is saying no now, but uh Anyway, like because in this context there were security issues, so it's not letting me do it. Anyway, I can run any arbitrary commands in this environment through a malicious package, so it doesn't even matter. And what access do I have?

[00:03:57]Uh So, these are all the thing extracted.

[00:04:01]Like uh this arc clone is the sync service uh cloud used to sync files between the server and whatever you upload in this uh session.

[00:04:12]And uh so during network request I can uh take like a dumps of memory. This is memory dumps, not binary dumps. Raw memory dumps of that okay, isolated VM instance, but nonetheless.

[00:04:29]Uh I I can take uh memory dumps. And this is not through malicious script.

[00:04:34]This I asked uh check cloud to do and it did it for me.

[00:04:39]It um did it for me and gave me the dumps. And uh I can dump like uh during and these are TLS uh dumps. Uh so, I will not show you this anyway. So, these are uh during a network request whenever a sync or anything is happening, I can take memory dumps in between of the network request and extract things from it.

[00:05:02]But uh according to cloud, this is expected behavior.

[00:05:06]Okay.

[00:05:07]So uh this was the package which I'm going to remove now.

[00:05:15]Anyway, so I will show you what it had.

[00:05:21]So, license package JSON and this post install script. So, anyway this is an uh dummy token. I will be revoking this.

[00:05:32]Maybe not. Anyway, this is an specialized token only for that repo.

[00:05:36]And it just anyway, I have like all the access. I can run arbitrary commands and dump whatever I can.

[00:05:44]And I can see that thing?

[00:05:49]I can upload it to GitHub.

[00:05:51]Uh or what network can you access?

[00:06:02]So, if anyone of them allow uploads, I can upload to them.

[00:06:07]I can install any package.

[00:06:10]Install GDB.

[00:06:15]GDB already one.

[00:06:20]And I can upload to anything through a malicious package, dump everything, and upload it. And so, whatever your chat is GDB was not there. I can install GDB.

[00:06:33]Any tool I can install.

[00:06:38]Not any like from these sources, but nonetheless I don't know how this is unexpected behavior.