The New Attack Surface: Computer Use Changes Everything
Claude Code's Computer Use feature launched with app-level permissioning, but security researchers immediately identified the expanded threat model. Before Computer Use, prompt injections could only affect your filesystem. Now, with access to whitelisted applications, a single malicious dependency could trigger actions like "open browser, navigate to exfil endpoint, paste clipboard" without leaving file traces.
This follows the same pattern as the Claude Cowork vulnerability (CVE-2025-59536, CVE-2026-21852) where prompt injections used curl commands to exfiltrate files to attackers' Anthropic accounts. The core architectural problem—prompt injection + API allowlist—remains unsolved.
What Changed in Your Security Posture
Old threat model: Malicious dependency → prompt injection → Claude writes bad code to disk → you review before shipping.
New threat model: Same malicious dependency → same injection → Claude accesses whitelisted apps → executes UI-based exfiltration → no file artifacts to review.
The attack doesn't need full desktop access. It just needs one whitelisted app with network connectivity.
Configure Claude Code for Defense
1. Restrict Computer Use Permissions
When enabling Computer Use, be surgical with app whitelisting:
# Review current permissions
claude code config get computer_use.apps
# Only whitelist what you need RIGHT NOW
claude code config set computer_use.apps '["terminal", "code"]'
# Use look-only mode for browsers
claude code config set computer_use.browser_mode look_only
2. Isolate Sensitive Directories
Never connect Claude Code to folders containing sensitive data. Create a dedicated workspace:
# Create isolated workspace
mkdir ~/claude-workspace
cd ~/claude-workspace
# Symbolic link only safe directories
ln -s ~/projects/my-open-source-app ./src
# Launch Claude Code in this isolated context
claude code --workspace ~/claude-workspace
3. Audit Your Dependencies Daily
The LiteLLM supply chain attack (47K downloads in 46 minutes) shows how quickly compromised packages spread. Implement strict dependency controls:
# Pin everything in requirements.txt with hashes
pip-compile --generate-hashes requirements.in
# Use lockfiles for all package managers
npm ci --only=production
# Scan dependencies before Claude sessions
claude code --pre-scan "npm audit && pip-audit"
4. Monitor API Usage and Environment
Set up alerts for unexpected Anthropic API calls:
# Check your Anthropic API usage
curl -X GET https://api.anthropic.com/v1/usage \
-H "x-api-key: $(echo $ANTHROPIC_API_KEY)"
# Rotate API keys weekly
# Store keys in environment variables, NEVER in files
export ANTHROPIC_API_KEY=$(vault read -field=key anthropic/tokens)
The Confirmation Loop Problem
Computer Use creates a dangerous confirmation loop: the same model that writes insecure code now "verifies" it through UI testing. Claude can see "the button renders correctly" but cannot detect "this form sends credentials over HTTP."
Solution: Never rely solely on Claude's UI verification. Always run security scans:
# Run security checks after Claude "verifies" functionality
claude code --execute "npm run security-scan"
claude code --execute "bandit -r ."
claude code --execute "trufflehog filesystem ."
When to Disable Features Entirely
If you're working with:
- Financial data
- PII/PHI
- Authentication secrets
- Proprietary algorithms
Disable Computer Use entirely:
claude code config set computer_use.enabled false
And use read-only mode for file access:
claude code --read-only --workspace ./safe-directory
The Bottom Line
Claude Code's capabilities expanded faster than its security model. Until Anthropic implements proper sandboxing and runtime monitoring, you must assume every prompt injection can become a data exfiltration vector. Configure defensively, audit relentlessly, and never trust the confirmation loop.
