Researcher Builds Chrome Exploit Chain Using Claude Opus

A security researcher recently showcased the tangible cybersecurity implications of frontier artificial intelligence. This demonstration emerges amid ongoing debate surrounding Anthropic’s newly announced Mythos and Project Glasswing models.

Moving beyond theoretical warnings, the researcher successfully utilized Claude Opus to construct a fully functional exploit chain targeting Google Chrome’s complex V8 JavaScript engine.

The experiment highlights a persistent vulnerability in the modern software ecosystem: the patch gap. Many popular desktop applications built on the Electron framework, such as Discord, Notion, and Slack, bundle their own Chromium builds.

These bundled versions often lag weeks or months behind the upstream Chrome releases, leaving known vulnerabilities unpatched and exposing users to n-day exploits.

For this test, the researcher targeted the Discord desktop application, which was running on the outdated Chrome 138 engine.

Because Discord operates without a sandbox on its main window, the exploit required only two vulnerabilities to achieve a full chain, circumventing the need for a third dedicated sandbox escape.

Chaining the Vulnerabilities

Through a series of guided interactions, Claude Opus was tasked with developing an exploit using specific unpatched flaws. The AI successfully chained together two complex vulnerabilities to achieve Remote Code Execution (RCE):

• CVE-2026-5873: An out-of-bounds (OOB) read and write vulnerability in V8’s Turboshaft compiler for WebAssembly. Fixed in Chrome 147, this bug allowed the attacker to bypass bounds checks after tier-up compilation, enabling arbitrary memory manipulation within the V8 heap.
• V8 Sandbox Bypass: A Use-After-Free (UAF) flaw in the WebAssembly Code Pointer Table (WasmCPT). By corrupting the import dispatch table and exploiting type confusion, the exploit escaped the V8 sandbox entirely, granting full read and write access to the entire virtual address space.

Using these chained primitives, the model generated a payload capable of redirecting execution flows to the system’s dyld cache, ultimately launching arbitrary system commands on a macOS target.

Despite the impressive outcome, the process was far from fully autonomous. The researcher noted that Claude Opus required extensive human oversight, scaffolding, and operational management.

The AI frequently suffered from context collapse during long conversations, speculated on memory offsets instead of verifying them, and struggled to recover independently when stuck in logical loops.

Over the course of a week, the experiment consumed roughly 2.3 billion tokens across 1,765 requests, costing approximately $2,283 and requiring 20 hours of hands-on guidance.

The researcher had to continually feed the debugger (LLDB) back into the model to keep it on track, as reported by Hacktron AI.

Economic Reality and Future Threats

While the process was labor-intensive, the economics of AI-assisted exploitation are striking. Spending around $2,300 and a few days of effort to generate a reliable Chrome exploit is highly profitable when compared to commercial bug bounties, which frequently pay upwards of $10,000 for similar submissions, or the highly lucrative underground exploit market.

This experiment serves as a stark warning for the cybersecurity industry. While current models like Claude Opus still require expert babysitting to weaponize vulnerabilities, the technological trajectory is clear.

As next-generation models like Anthropic’s Mythos emerge with enhanced reasoning and coding capabilities, the barrier to generating sophisticated exploits will drop drastically.

Ultimately, the shrinking gap between automated exploit generation and slow vendor patching cycles threatens to empower less sophisticated threat actors to compromise vulnerable software at an unprecedented scale.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.