Armadin details full sandbox escape in Claude Cowork but Anthropic disputes risk
Security researchers at Armadin Inc. today detailed an attack chain that runs arbitrary commands as root inside the sandbox behind Anthropic PBC’s Claude Cowork, escaping the isolation layer, with a second flaw stripping the network restrictions meant to contain it.
Anthropic, however, does not consider it a security issue. Armadin reported the chain on March 20 and Anthropic responded on March 24 that it did not qualify because pulling it off requires an attacker to already have local code execution on the host machine. Armadin validated the chain against Claude Desktop for Windows version 1.9255.2.0.
Cowork is Anthropic’s product for knowledge workers, automating non-technical tasks and it runs Claude Code inside a sandbox to do so. On Windows, the sandbox is a Hyper-V-isolated Ubuntu virtual machine wrapped in several layers of protection, including signature-gated communication, per-session unprivileged users, a seccomp filter and a proxy that restricts which domains the machine can reach. Armadin set out to quietly execute code inside that virtual machine as root with no egress limits.
The entry point was a Windows service called CoworkVMService, which exposes a named pipe that handles requests to the virtual machine. The service checks the signature of whatever program connects to it and confirms the subject is Anthropic before accepting commands. Armadin could not forge that signature, so it took a different route. The team used a technique called DLL sideloading, a common red-team method that loads attacker-controlled code into a legitimately signed binary, against claude.exe itself.










