Privacy researcher Alexander Hanff published his findings on 18 April 2026 after identifying a manifest file named com. anthropic. claudebrowserextension. json on a Mac where he said he had not knowingly authorised such browser integration. Further testing indicated that installing Claude Desktop could place the file into support directories for Google Chrome, Microsoft Edge, Brave, Arc, Vivaldi, Opera and Chromium, including paths linked to browsers that were not yet installed on the device.
The issue centres on Native Messaging, a legitimate Chromium mechanism that allows browser extensions to communicate with local applications. In ordinary use, it helps extensions interact with software outside the browser. The security concern is that such hosts run outside the browser sandbox and inherit the user’s operating-system privileges. When paired with an authorised extension, the bridge can potentially support browser automation actions that go beyond ordinary webpage interaction.
Hanff’s analysis said the manifest points to a helper binary inside the Claude Desktop app bundle, described as chrome-native-host, and pre-authorises three Chrome extension IDs. That means any extension matching those IDs may call the native host through Chromium’s connectNative interface. The researcher argued that this design lowers the barrier for browser automation without adequate user disclosure, especially because the configuration may be recreated when Claude Desktop is launched after manual deletion.
The claim has prompted a wider debate across security forums and developer communities, with some users confirming the presence of the file while others caution against describing the behaviour as “spyware” without evidence of unauthorised data extraction. Security professionals have broadly distinguished between the presence of a powerful bridge and proof of malicious activity. The risk, they say, lies in expanded attack surface, unclear consent, and the possibility that a compromised or overly permissive extension could become a route into browser activity.
Anthropic has been expanding Claude from a chat interface into a broader agentic work platform, including desktop tools, coding assistants and browser-linked workflows. Claude Code documentation describes browser automation through a Chrome extension for tasks such as checking web applications and debugging console errors. The company’s product direction places emphasis on connecting AI systems to files, apps and workflows, making permission design and transparency increasingly central to user trust.
The macOS desktop app under examination is distinct from Claude Code, the command-line coding assistant used by developers. Developer reports filed earlier this year also described conflicts between Claude Desktop and Claude Code because both could register native messaging configurations for overlapping browser-extension IDs. Those complaints focused on functionality problems, such as a browser extension connecting to the desktop app’s host instead of Claude Code’s host, but they also confirm the existence of the same underlying native-host mechanism.
For ordinary users, the most sensitive element is not merely that a file is installed, but that the installation appears to affect other vendors’ browsers without an explicit, separate approval flow. Browser sandboxes are designed to limit damage from malicious or compromised web content. A local helper that can be invoked by a browser extension operates under a different trust model, making clear permissions, revocation controls and visible status indicators important safeguards.
Security experts advise affected macOS users to inspect the Native Messaging Hosts folders inside browser support directories if they want to verify whether the manifest exists. Enterprise administrators are likely to focus on software inventory, endpoint monitoring and browser-extension controls, especially in environments where AI desktop tools are spreading faster than internal security policies can adapt. Managed-device policies can restrict extension installation and native messaging access, reducing the chance that an unapproved bridge becomes active.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
