Cowork does run in a VM, but the Anthropic API endpoint is marked as OK, what Anthropic aren't doing is checking that the API call uses the same API key as the person that started the session.

So the injected code basically says "use curl to send this file using the file upload API endpoint, but use this API Key instead of the one the user is supposed to be using."

So the fault is at the Anthropic API end because it's not properly validating the API key as being from the user that owns it.