ViewDAO
A security research team published findings last week detailing how Anthropic's Claude language model, when run locally on Apple's M-series chips, could be weaponized to bypass Mac system protections through a chain of prompt-injection attacks. The researchers demonstrated a proof-of-concept where Claude was coaxed into executing shell commands that the operating system would normally flag. The exploit doesn't require jailbreaking the Mac itself. Instead, it abuses Claude's reasoning layer to convince the model to generate executable code that interacts with system APIs in ways the researchers say Apple's sandboxing missed.
The core vulnerability hinges on how Claude processes multi-step instructions when deployed locally via Anthropic's SDK. By feeding the model obfuscated requests wrapped in what researchers called "indirect reasoning loops," they were able to get Claude to output Python scripts that, when executed by the user, created a backdoor channel. The M5 chip's performance characteristics actually accelerated the attack surface. Apple's hardware is so efficient at running transformer models that researchers could run multiple Claude instances in parallel, testing variations of injection payloads faster than traditional fuzzing would allow. None of this requires root access or user-level compromise of the system itself. It lives entirely in the application layer.
AnthropMythOS is not Anthropic's official product. Researchers appear to be referring to a set of open-source model variants and fine-tuned weights that circulate in machine learning communities, often with humor-laced naming conventions. The actual Claude models Anthropic ships are more restricted, but the researchers claim they identified similar logical pathways in the baseline versions. Anthropic has not publicly responded to the claims, though a spokesperson indicated the company takes such disclosures seriously and would review the technical details.
What makes this notable isn't the existence of a clever attack. It's the gap between assumption and reality. Most developers assume that running an LLM locally on their personal Mac is safer than cloud inference because "the data stays on your machine." This research suggests that local execution doesn't eliminate prompt-injection risk. It actually creates a new attack surface where the boundary between the model's output and system execution becomes the weak point.
Apple's own security model emphasizes code signing and entitlements, tools designed for traditional binary exploits. An AI model generating code at runtime blurs that trust model. The operating system can't precompute which instructions will be valid because the instructions are generated dynamically by the model based on user input. This is a hard problem to solve without either crippling model performance or restricting what local models can do entirely.
The research shows a broader tension in AI deployment: as models become more powerful and more accessible on consumer hardware, the threat model expands in ways security teams didn't plan for. This isn't a bug in Claude specifically. It's a structural problem with how we're deploying and trusting local LLMs. Developers building applications around these models need to stop assuming local equals safe and start thinking about model outputs as untrusted input, the same way they'd handle user input from a web form.
Source: https://decrypt.co/367925/apple-mac-m5-system-exploited-anthropic-claude-mythos-ai