Anthropic tops payments, faces flaws

Anthropic entered mid-May with two sharply different data points attached to Claude. Ramp said on May 13 that Anthropic had passed OpenAI in paid business adoption for the first time in its AI Index, with Anthropic used by 34.4% of businesses on Ramp in April and OpenAI at 32.3%. That gain landed as security researchers published fresh disclosures about Claude’s agentic tooling. Mitiga Labs said on May 12 that Claude Code’s local configuration could be altered to redirect Model Context Protocol, or MCP, traffic and intercept OAuth tokens. LayerX said in a separate disclosure that Anthropic’s “Claude in Chrome” extension could be manipulated by another browser extension. Anthropic has also been expanding Claude’s security positioning. (ramp.com) On Feb. 20, the company said Claude Code Security had entered a limited research preview for Enterprise and Team customers, describing the product as a way to scan codebases for vulnerabilities and suggest patches for human review. ### How did Ramp say Anthropic moved ahead of OpenAI? Ramp’s May 13 AI Index update said Anthropic’s adoption rose 3.8 percentage points in April to 34.4% of businesses, while OpenAI’s fell 2.9 percentage points to 32.3%. (mitiga.io) Overall AI adoption among businesses on Ramp rose 0.2 percentage points to 50.6%, according to the report. Ara Kharazian, Ramp’s lead economist, wrote that the result was the first time Anthropic had passed OpenAI in business adoption in the index. (anthropic.com) Ramp describes the AI Index as a monthly measurement of artificial-intelligence adoption among American businesses on its platform. ### What exactly did Mitiga say about Claude Code tokens? Mitiga Labs researcher Idan Cohen said on May 12 that a user-level post-install hook could rewrite MCP endpoints in Claude Code’s configuration file, `~/.claude.json`, and route requests through attacker-controlled infrastructure. (ramp.com) The firm said provider-side logs could still show valid OAuth traffic from a trusted origin. Mitiga said the token could remain useful even after rotation if a malicious hook kept reseeding the MCP configuration. (ramp.com) The report said defenders should watch for changes to Claude Code configuration, MCP server URLs, OAuth refresh behavior and unusual downstream SaaS activity. ### How did the browser-extension disclosure differ? LayerX said on May 7 that a flaw in Anthropic’s “Claude in Chrome” extension allowed another extension, including one with no declared permissions, to hijack Claude’s actions. (mitiga.io) The company said the issue could let an attacker inject instructions, extract information and trigger agentic actions through the victim’s existing permissions. LayerX said it reported the issue to Anthropic and that Anthropic told it a fix would appear in the next version of the extension. LayerX said Anthropic released only a partial fix and that the underlying issue remained exploitable. A separate report describing the affected release said version 1.0.69 was released on April 22 and version 1.0.70 on May 6. ### What is MCP, and why does it keep appearing in these disclosures? (layerxsecurity.com) Mitiga described MCP as the protocol that lets AI coding tools connect to external systems such as Jira, Confluence, GitHub, databases and internal APIs. In its account, the OAuth token tied to that connection is the “actual prize” because it carries the scopes granted during user consent and is stored for reuse across sessions. Anthropic’s own product rollout has leaned into those connected workflows. (layerxsecurity.com) Its Feb. 20 announcement for Claude Code Security said the service was built into Claude Code on the web and aimed at helping teams find and patch software vulnerabilities, while keeping human approval in the loop before fixes are applied. ### What has Anthropic said publicly about security around Claude Code? Anthropic said on Feb. 20 that Claude Code Security was intended to help defenders and that “nothing is applied without human approval.” The company said validated findings appear in a dashboard for review and are assigned severity and confidence ratings. (mitiga.io) Anthropic also said in that announcement that the same capabilities that help defenders could help attackers exploit vulnerabilities. (anthropic.com) The company released the feature as a limited research preview and said it wanted to refine the product with enterprise users and open-source maintainers. ### What should readers watch next? May 2026 is likely to bring two measurable follow-ups: Ramp’s next monthly AI Index update and any further Anthropic changes to Claude in Chrome or Claude Code documentation. (anthropic.com) Ramp publishes the index on its economics pages, and Anthropic’s public release notes and product pages track updates to Claude tools. (ramp.com)