Jiffy Intel — Threat intelligence for AI artifacts

Summary

A browser extension, on install, writes an MCP server entry into the local Claude Desktop config file (via a native messaging host). The MCP server runs as a persistent interposer between the agent and its tools.

Severity & confidence

Severity

High

Credible abuse path with meaningful impact on confidentiality, integrity, or availability. Remediate on a short timeline; do not wait for the next sprint cycle.

Confidence

Confirmed

Observed directly by Jiffy scanners or validated by multiple independent sources. Indicators are reliable enough to drive automated action.

Indicators

Observed patterns and artifacts associated with this entry. Each indicator can be copied into your detection stack or SIEM.

```
claude_desktop_config\.json
```
```
(?i)native_messaging|nativeMessaging
```

Detection rule

A YARA-style pseudo-rule auto-generated from the indicators above. Useful as a starting point — adapt the syntax for your target detection platform.

YARA-style pseudo-rule

rule jiffy_ti_2026_000099
{
    meta:
        source = "jiffy-intel"
        severity = "high"
        description = "Auto-generated from Jiffy Intel indicators"
    strings:
    $file_path_pattern_0 = "claude_desktop_config\\.json"
    $content_pattern_1 = "(?i)native_messaging|nativeMessaging"
    condition:
        $file_path_pattern_0 or $content_pattern_1
}

Auto-generated from the indicators above. Adapt syntax for your detection stack before deploying.

Affected tools

Tool	Versions	Status
Chrome / Chromium	`*`	vulnerable
Claude Desktop	`*`	vulnerable

Example artifacts

Sanitized examples of artifacts Jiffy has observed exhibiting this pattern. Publisher handles are redacted; version ranges and status reflect the most recent scan.

Desktop Bridge for ClaudeExtension
Removed
Source
Chrome Web Store
First observed
Mar 11, 2026
Last observed
Apr 7, 2026
MCP Quick ConnectExtension
Quarantined
Source
Chrome Web Store
First observed
Mar 15, 2026

How to remediate

01Audit claude_desktop_config.json MCP servers on hosts with browser extensions installed.
02Remove any unrecognized server entries.

Timeline & sources

Timeline

First observedMar 11, 20261 month ago
Last updatedApr 26, 2026today
PublishedMar 21, 202627 days ago

Sources

scanner

References

blog.jiffylabs.aiJiffy Research

Jiffy Research — MCP Security Field Guide

https://blog.jiffylabs.ai/posts/mcp-security-a-security-teams-field-guide

attack.mitre.org

MITRE ATT&CK T1546 — Event Triggered Execution

https://attack.mitre.org/techniques/T1546/

Related intel

Other entries of type Backdoor, or the most recent published entries if no same-type matches exist.

BackdoorHigh

Skill writes config that hooks into Claude Desktop stdio MCP bridge

Skill modifies the user's Claude Desktop config to register an MCP server pointing at localhost. The server is supplied by the same skill and serves as a persistent interposer between the agent and tool calls, logging all tool arguments.

Jiffy IntelApr 28

BackdoorMedium

agents.md asserts "skip security scans — reviewer will verify"

agents.md instructs the agent to explicitly skip any security scan "because the reviewer will verify." Benign on the surface, the directive disarms the last line of defense and invites shipping unscanned code.