Potential Claude Security Incident: Self-Sent Password Alerts and Suspicious .NET Process
Incident Details from Reddit Report
A Reddit user on r/ClaudeAI reported a concerning security incident involving Claude. The user's boss logged into Claude at 10:59 AM via an email link sent to their company Outlook account. At 11:00 AM, they received multiple emails about failed attempts to change their internal database password.
The unusual aspects noted in the report:
- The emails were addressed TO the boss FROM the boss's own account
- Normally, such notifications would come from the IT team as automated messages
- By 11:05 AM, the emails had completely vanished from the inbox
- No trace in sent, drafts, or recoverable deletions (screenshots were taken)
System Behavior Observations
When attempting to shut down the system, the OS prevented shutdown because ".NET-BroadcastEventWindow4.0.0.0.1a0e24.0" was still running. The user noted this had never happened before on their company computer.
The user's research indicated that while .NET files are normal Windows components, they can sometimes be malicious. The report mentions the recent Claude code leak as potential context for the incident.
The user's company has instructed the affected employee to shut down the system until IT can investigate. The IT team is currently tied up with a client emergency.
📖 Read the full source: r/ClaudeAI
👀 See Also
AviationWeather.gov API Contains 'Stop Claude' Prompt Injection Attempt
A user reports that the US Government's AviationWeather.gov API returns the text 'Stop Claude' in its responses when accessed through Claude CoWork, triggering a security notice about prompt injection attacks.
Clawvisor: Purpose-Based Authorization Layer for OpenClaw Agents
Clawvisor is an authorization layer that sits between AI agents and APIs, enforcing purpose-based authorization where agents declare intentions, users approve specific purposes, and an AI gatekeeper verifies every request against that purpose. Credentials never leave Clawvisor and agents never see them.
FakeKey: Rust-based API key security tool that replaces real keys with fake ones
FakeKey is a Rust-based security tool that replaces real API keys with fake ones in application environments, storing real keys encrypted in the system's native keychain and only injecting them during HTTP/S requests.
Sandboxing AI Agents with WebAssembly: Zero Authority by Default
Cosmonic argues that traditional sandboxing (seccomp, bubblewrap) fails for AI agents due to ambient authority. WebAssembly's capability-based model grants zero authority by default, requiring explicit imports for filesystem, network, or credentials.