On April 18, 2026, a significant cybersecurity report authored by privacy expert Alexander Hanff brought to light alarming findings regarding Anthropic’s Claude Desktop application for macOS. The report revealed that this application covertly installs a Native Messaging bridge across several Chromium-based browsers without user consent. This disturbing discovery raises serious questions about privacy and security, particularly as it bypasses standard user permission protocols.
The crux of Hanff’s investigation revolves around a manifest file entitled com.anthropic.claude_browser_extension.json, which, according to his findings, is automatically generated and placed into the application support directories of seven popular Chromium browsers. These browsers include Google Chrome, Brave, Microsoft Edge, Chromium, Arc, Vivaldi, and Opera. Notably, Hanff stumbled upon this unauthorized file while debugging an unrelated project on his MacBook, uncovering a concerning breach of user trust and security.
Alarmingly, this Native Messaging bridge does not discriminate based on the browsers installed on the user’s system. It aggressively installs itself even in browsers that are not present, including those that Anthropic has publicly declared as unsupported. Furthermore, each time Claude Desktop is launched, the files associated with this bridge are rewritten, rendering any manual deletion attempts ineffective unless the application itself is uninstalled. This relentless behavior illustrates a sheer disregard for user agency and consent.
The implications of this Native Messaging bridge are considerable. It provides a pre-authorized backdoor for specific Chrome extensions, allowing them to run a local executable within the Claude.app bundle. This executable operates entirely outside the confines of the browser sandbox, granting it full user-level privileges. Such access allows coupled extensions to perform powerful browser automation tasks, including reading the complete DOM state, extracting structured web page information, sharing login states for authenticated sessions, automating form filling, and even conducting background screen recordings.
This intrusive capability extends to highly sensitive online domains, allowing unauthorized access to critical environments such as banking websites, tax systems, and administrative consoles for production infrastructure. By enabling these extensive functionalities, the Native Messaging bridge significantly increases the local attack surface for users. Hanff notes that, despite the current mitigations, Claude for Chrome is vulnerable to prompt-injection attacks, with a success rate of 11.2%. If an attacker were to exploit this vulnerability against a bridged extension, they could utilize the pre-installed bridge to gain out-of-sandbox code execution on the user’s MacBook.
Moreover, should any of the three authorized Chrome extensions be compromised via a malicious update or a supply-chain attack, the threat actor would achieve immediate user-level access, effectively gaining control over the user’s machine.
Hanff characterized Anthropic’s approach as a deliberate “dark pattern,” constituting a blatant violation of the EU ePrivacy Directive (Directive 2002/58/EC) as well as various laws pertaining to computer access and misuse. He highlights the considerable risks posed by what he terms "dormant capability," arguing that such capabilities are never truly safe. This pre-installed bridge undermines the trust model offered by browsers, leaving users oblivious to the persistent hooks embedded in their systems.
In light of these serious findings, cybersecurity professionals and advocates for privacy have urged Anthropic to immediately adopt a strict opt-in model. This model would require explicit user consent before any browser integrations are installed. Such changes would limit installations to browsers actively chosen by users and provide a transparent settings menu for managing or revoking permissions.
Until Anthropic remedies this apparent architectural flaw, organizations utilizing Claude Desktop on macOS are urged to conduct thorough audits of their environments in search of the com.anthropic.claude_browser_extension.json manifest file. This is vital for ensuring compliance with internal security and data protection protocols.
The fallout from this investigation underscores the ongoing challenges in ensuring user privacy and security in an increasingly automated digital landscape. The demand for responsible development practices that prioritize user consent is more critical than ever in maintaining public trust in technology.