$285 Billion Evaporated. What Actually Is Cowork?
Between February 3rd and 5th, 2026, the software sector lost $285 billion in market value. Thomson Reuters dropped 16%. LegalZoom fell nearly 20%. The trigger wasn't a recession or a regulation. It was a desktop app feature called Claude Cowork — and a set of 11 plugins made of markdown files.
I've spent the last three weeks dissecting what Cowork actually is under the hood. Not the marketing pitch. Not the panic narrative. The architecture.
Here's what I found.
What Claude Cowork Actually Is
Cowork is not a new AI model. It's not a breakthrough in reasoning. It's Claude Code — the terminal-based agentic coding tool — repackaged for non-developers.
Anthropic's official description: "Claude Code for the rest of your work."
It launched on January 12, 2026, as a research preview for Max subscribers ($100-200/month). By January 16, Pro users ($20/month) got access. Team and Enterprise followed on January 23. The whole thing was built in roughly 10 days by the Anthropic team — and here's the part that matters: the entire product was written by Claude Code itself. Boris Cherny, head of Claude Code at Anthropic, confirmed it: "All of the product's code was written by Claude Code."
A tool built by the tool it extends. That's the real story, not the stock market panic.
The Architecture: A VM, Not Magic
Simon Willison reverse-engineered Cowork within days of launch and found what's actually running: a sandboxed Ubuntu virtual machine using Apple's VZVirtualMachine — the Apple Virtualization Framework.
This is not a browser sandbox. Not a Docker container. A full virtual machine.
When you point Cowork at a folder on your Mac, that folder gets mounted into the VM. Claude can read, write, create, edit, and delete files — but only within that mounted directory. Code executes inside the VM, isolated from your actual operating system.
This is the engineering decision that makes Cowork viable and dangerous at the same time. VM isolation means Claude can run real commands (rm -rf included) without touching your system — unless you've mounted the wrong folder.
Sub-Agents: Parallel Execution
Cowork doesn't process tasks sequentially. It uses the same sub-agent coordination system found in Claude Code's agent teams architecture.
Complex requests get broken into subtasks. Multiple agents work in parallel, each owning a workstream. One agent organizes your files while another generates a spreadsheet while a third synthesizes research notes. They coordinate through the same TeammateTool system that powers Claude Code's multi-agent workflows.
This is why tasks can run for 10-30+ minutes autonomously. It's not one model thinking harder — it's multiple agents dividing work.
The Plugins That Crashed Markets
On January 30, Anthropic released 11 open-source plugins. Five days later, $285 billion evaporated from software stocks.
Here's the complete list:
- Productivity — Slack, Notion, Asana, Linear, Jira, Monday, ClickUp, Microsoft 365
- Enterprise Search — Cross-tool document search
- Plugin Create — Build new plugins from scratch
- Sales — Prospect research, deal prep
- Finance — Financial models, metric tracking
- Legal — Contract review, NDA triage, compliance
- Marketing — Content drafting, campaign planning
- Customer Support — Ticket triage, severity assignment
- Data Analyst — Snowflake, BigQuery queries and visualization
- Product — Product documentation
- Research — Research workflows
The market trigger was specifically the Legal plugin. Reports surfaced that it could automate "90% of standard NDA and compliance triage." Thomson Reuters — whose legal software division is worth billions — dropped 16% in two days. I covered the full market fallout in my SaaSpocalypse analysis.
But here's what nobody in the financial press reported: these plugins are just markdown files. No compiled code. No complex infrastructure. No build steps.
A plugin is a folder with a manifest file, an MCP connection config, slash commands (invoked explicitly), and skills (domain knowledge that auto-activates). The "skills" are literally .md files describing how an expert in that domain works.
The enterprise plugins that triggered a $285 billion selloff are text files in a Git repository.
The Security Reality
I won't sugarcoat this. Cowork has real security issues that Anthropic has acknowledged but not fully resolved.
The 11GB Deletion. User James McAulay was testing file organization. Cowork asked permission to reorganize, he granted it, and it executed rm -rf — permanently deleting roughly 11GB of files. Not to the recycle bin. Gone. Claude Code itself confirmed recovery was impossible. The files were non-critical, but the incident went viral for good reason: Cowork asked, the user said yes, and the result was irreversible.
Weekly insights on AI Architecture. No spam.
Prompt Injection. Security firm PromptArmor found that a vulnerability originally discovered in Claude Code (October 2025) carried over to Cowork. Malicious instructions hidden in web pages, images, or documents can hijack Claude's behavior. Simon Willison calls this the "Lethal Trifecta": access to private data, exposure to untrusted content, and the ability to communicate externally.
File Theft. PromptArmor demonstrated they could trick Claude into uploading sensitive files to an attacker's Anthropic account. The disclosure went public after Anthropic acknowledged the vulnerability but didn't fix it.
Anthropic's own safety documentation states: "The chances of an attack are still non-zero" and advises users to "monitor Claude for suspicious actions that may indicate prompt injection." Security researchers have called this guidance unrealistic for non-technical users — which is exactly who Cowork targets.
What's Missing
Cowork is a research preview, and the limitations show:
- macOS only. No Windows, no web, no mobile. Windows is "coming" with no timeline.
- No Projects support. You can't use Cowork within Claude Projects.
- No memory across sessions. Every session starts from zero.
- No session sharing. You can't share Cowork results.
- No audit logs. Not captured in Compliance API or Data Exports.
- Desktop app must stay open. Close the lid, lose the task.
Anthropic's own warning: "Do not use for regulated workloads."
The Token Tax
Cowork tasks eat tokens significantly faster than regular Claude chat. A single session organizing a 500-file folder consumed the equivalent of 40+ regular chat messages.
| Plan | Monthly Cost | Cowork Access |
|---|---|---|
| Free | $0 | No |
| Pro | $20 | Yes (limited) |
| Max 5x | $100 | ~225 messages/5h |
| Max 20x | $200 | ~900 messages/5h |
| Team | $125/seat | 5x standard |
Usage resets every 5 hours, not daily. Pro users hit caps fast. The real cost of Cowork isn't the subscription — it's the token consumption.
The Engineering Take
Most coverage of Cowork is either "this will replace all knowledge workers" or "this is overhyped garbage." Both miss the actual engineering story.
Bottom-up development. Anthropic built Claude Code first — a developer tool. Proved it works in production. Then abstracted it for non-developers. This is the opposite of every failed "AI assistant" that started with a slick UI and had no agentic backbone. I've written about why this bottom-up approach matters for agentic systems.
Recursive construction. Claude Code built Cowork. The tool built the tool. In 10 days. The development velocity implication is what should concern enterprise software companies — not the current capabilities, but the iteration speed.
Plugins are the real product. The VM, the sub-agents, the sandbox — that's all infrastructure. The insight is that enterprise workflows can be encoded as markdown files. Skills + MCP connectors + slash commands. No complex software required. That's what crashed the market: not the tech itself, but the realization that packaging enterprise knowledge as text files makes it absurdly replicable.
Prompt injection is unsolved. Anthropic is more honest about this than competitors. The 11GB deletion and PromptArmor file theft demo are real. Anyone deploying Cowork for sensitive work should understand that the security model depends on user vigilance — which is the weakest possible defense.
"Vibe Working"
Scott White, Anthropic's head of product for enterprise, coined the term on CNBC: "I think that we are now transitioning almost into vibe working."
The concept: vibe coding let developers describe intent and let AI write code. Vibe working extends that to everyone — describe the outcome, let agents execute. Finance, legal, research, analysis.
Microsoft immediately adopted the term for their own Copilot Agent Mode. Whether the term sticks is irrelevant. The pattern — intent-based delegation to AI agents — is here.
The Verdict
Cowork is real engineering wrapped in research-preview limitations. The VM architecture is solid. The sub-agent system works. The plugin framework is elegant in its simplicity.
But it's macOS-only, has no memory, no audit trail, known security vulnerabilities, and burns through tokens faster than you'd expect.
For developers already using Claude Code, Cowork is interesting but not essential — you already have the more powerful version. For non-technical knowledge workers, it's a genuine preview of what's coming, with genuine risks attached.
The $285 billion market reaction wasn't about what Cowork does today. It was about what the architecture implies for tomorrow.