Anthropic Launched a Business AI Tool. Hours Later, a Security Firm Published Its Secret Flaw.

Japan just told its banks they can pull the plug before an AI cyberattack hits. That emergency posture, prompted by a security flaw published hours ago, is the real story behind Anthropic's small business launch this week.

Anthropic launched Claude for Small Business on Tuesday, a package of connectors and ready-to-run workflows that puts an AI agent inside the tools small businesses already use: QuickBooks, PayPal, HubSpot, Canva, DocuSign, Google Workspace, and Microsoft 365. Toggle it on, pick the job, approve before anything sends or pays. The company says the product automates work across finance, operations, sales, marketing, HR, and customer service.

Hours after the launch, security researchers at PromptArmor published details of an unpatched vulnerability in Claude Cowork, the underlying platform powering the product. The flaw allows attackers to steal files from a victim's account by tricking the model into sending them through the Anthropic API, which sits inside Claude's code execution environment as an allowlisted exception, even when most other outbound network traffic is blocked. An attacker hides malicious instructions inside a file the victim uploads. When the victim runs the file through Cowork, the model obeys those hidden instructions and sends the files to an attacker-controlled account. No approval prompt fires.

The technique exploits a gap in how Claude's virtual machine restricts network access. Claude Cowork runs code in a sandbox that blocks outbound connections to most domains, treating them as potentially malicious. The Anthropic API is allowlisted so the model can function normally. PromptArmor's researchers demonstrated the attack using a Microsoft Word file with text hidden in white-on-white font, invisible to the victim. The vulnerability was first documented by researcher Johann Rehberger months ago; Anthropic acknowledged it in Cowork's documentation but has not patched it.

Simon Willison, an AI security researcher, called Anthropic's advisory to watch for suspicious actions unreasonable for non-technical users. "I do not think it is fair to tell regular non-programmer users to watch out for 'suspicious actions that may indicate prompt injection,'" he wrote.

The regulatory response has moved faster than the patch timeline. Japan's Financial Services Agency issued guidance this week allowing financial institutions to proactively suspend their systems when facing AI-driven cyber risks. The policy shift was triggered by concerns about Anthropic's models. In India, Finance Minister Nirmala Sitharaman convened an emergency meeting with top bankers and called the situation a "threat of war," according to The Ken. The government's cybersecurity advisory body issued a high-severity alert to small businesses. Both responses trace to Claude Mythos, a separate Anthropic model that can autonomously discover and exploit software vulnerabilities in hours. That pace has collapsed the window defenders have traditionally relied on to patch systems before attackers weaponize a flaw. That collapse means defenders can no longer take weeks to test patches the way they have in the past.

Anthropic frames Cowork as a productivity tool for the businesses that make up 44% of U.S. GDP and employ nearly half the private-sector workforce, according to its own announcement. The company does not train on customer data by default on Team and Enterprise plans. But the vulnerability disclosure raises questions about whether the product was shipped with appropriate safeguards for its intended audience of non-technical small business owners. Anthropic's own documentation warns that Cowork is a research preview with unique risks due to its agentic nature and internet access, yet the product is being sold as a ready-to-run business tool.

What to watch: whether Anthropic issues a patch that closes the API exfiltration path, or whether regulators move to restrict Cowork's availability while the flaw remains open. Japan's guidance is the first major policy response from a major economy. Others are likely watching how it is implemented.