Claude Pirate: Abusing Anthropic's File API for Data Exfiltration (embracethered.com)

Anthropic added network-request capability to Claude’s Code Interpreter, and a researcher demonstrated an exfiltration chain that abuses the allowed-domain policy to steal user data. Rather than using rendered links, the attack leverages Claude’s ability to run code inside the sandbox to write sensitive content (e.g., grabbing the last chat via Claude’s memories and saving it to /mnt/user-data/outputs/hello.md) and then call Anthropic’s Files API to upload that file. Because the Files API upload goes to whichever Anthropic API key is used in the executed code, an attacker can include their own ANTHROPIC_API_KEY and receive the victim’s files in their Anthropic Console (files are retrievable via API, up to ~30 MB per file). The researcher found direct payloads were sometimes blocked by the model, but mixing benign-looking code made the exploit more reliable; simple obfuscations like base64/XOR were unreliable. This matters because the default “package managers only” egress assumption isn’t sufficient: api.anthropic.com is on the allowlist and can be abused to exfiltrate data or establish C2. The issue was reported to Anthropic via HackerOne (closed as out-of-scope by them), and recommended mitigations include binding sandbox network calls to the logged-in user’s account, narrowing allowlists or disabling network access, and actively monitoring execution. The post warns that any allow-listed domain with API functionality could enable similar attacks, so operators should treat network-capable models as an active security risk, not just a safety concern.