On the "Anthropic Spyware" Allegation

The Claude Desktop Bridge — what's real, what's hype.

A privacy researcher says Anthropic silently installed a native messaging bridge into seven Chromium browsers, including ones not on the machine. The security community replied in two voices at once. Here is what the evidence actually shows, what Anthropic's own blog confirms, and where the spyware framing overreaches.

Source: thatprivacyguy.com Author: Alexander Hanff Published: 18 Apr 2026 Corroborated by: The Register, gHacks, Malwarebytes

§ 01

The bottom line, in four cards.

Verdict

The technical claim holds. The label overreaches.

Claude Desktop does silently install a Native Messaging manifest into seven Chromium browsers, including ones not present on the disk. That is real, reproducible, and independently confirmed. "Spyware" is a stretch: the binary never runs without an extension wired up to it.

Real risk

Pre-staged attack surface, not active exfiltration.

If any of the three pre-authorised extension IDs is compromised or sideloaded, an attacker reaches a signed, user-privilege binary outside the browser sandbox with zero extra install steps. This is not hypothetical. ShadowPrompt already did it once this January.

Industry context

1Password and KeePassXC ship the same pattern.

Native Messaging hosts pre-registered for absent browsers is industry standard for password managers and other bridges. Anthropic's choice to not ask is normal. That doesn't make it right. KeePassXC is the outlier that proves it's not necessary.

Regulatory

Article 5(3) ePrivacy is in scope. Outcome is not settled.

Writing files onto a user's device without consent is in-scope for Article 5(3). Whether it's a violation turns on the "strictly necessary" carve-out and consent given at extension install time. Expect a DPA complaint if Anthropic doesn't fix this.

§ 02

The artifact itself.

The evidence is a 300-byte JSON file that Chromium browsers consult before allowing an extension to invoke a local binary. Nothing exotic. What's unusual is how it arrived.

com.anthropic.claude_browser_extension.json

~/Library/Application Support/{Browser}/NativeMessagingHosts/

{
  "name": "com.anthropic.claude_browser_extension",
  "description": "Claude Browser Extension Native Host",
  "path": "/Applications/Claude.app/Contents/Helpers/chrome-native-host",
  "type": "stdio",
  "allowed_origins": [
    "chrome-extension://dihbgbndebgnbjfmelmegjepbnkhlgni/",
    "chrome-extension://fcoeoabgfenejglbffodgkkbkcdhcgfn/",  // Claude in Chrome
    "chrome-extension://dngcpimnedloihjnnfngkgjoidhnaolf/"
  ]
}

Three extension IDs are pre-authorised to spawn the helper binary. The middle one is Anthropic's public "Claude in Chrome" extension. The other two are unidentified at time of writing.

Where the file landed

Installed locations on the researcher's test machine

~/Library/Application Support/ ├── Google/Chrome/NativeMessagingHosts/ # installed (Chrome present) ├── BraveSoftware/Brave-Browser/NativeMessagingHosts/ # installed (Brave present) ├── Microsoft Edge/NativeMessagingHosts/ # installed; Edge NOT on disk ├── Arc/User Data/NativeMessagingHosts/ # installed; Arc NOT on disk ├── Vivaldi/NativeMessagingHosts/ # installed; Vivaldi NOT on disk ├── Chromium/NativeMessagingHosts/ # installed; Chromium NOT on disk └── com.operasoftware.Opera/NativeMessagingHosts/ # installed; Opera NOT on disk

Seven manifests, byte-for-byte identical (MD5 1e927a9e7796d0175a2a1f30028f4baa). Four land in parent directories Claude Desktop had to create because the browser itself is not installed. If any of those browsers is ever installed later, the bridge is already waiting.

Claude Desktop's own log file admits it

~/Library/Logs/Claude/main.log

2026-03-21 14:54:40 [info] [Chrome Extension MCP] Installed native host manifest for Chrome
2026-03-21 14:54:40 [info] [Chrome Extension MCP] Installed native host manifest for Brave
2026-03-21 14:54:40 [info] [Chrome Extension MCP] Installed native host manifest for Edge
2026-03-21 14:54:40 [info] [Chrome Extension MCP] Installed native host manifest for Chromium
2026-03-21 14:54:40 [info] [Chrome Extension MCP] Installed native host manifest for Arc
2026-03-21 14:54:40 [info] [Chrome Extension MCP] Installed native host manifest for Vivaldi
2026-03-21 14:54:40 [info] [Chrome Extension MCP] Installed native host manifest for Opera
2026-03-21 14:54:40 [info] [Chrome Extension MCP] Native host installation complete

Internal subsystem name: Chrome Extension MCP. Thirty-one install events across log files. File modification timestamps show each manifest rewritten every launch. Deleting one does not make it stay deleted.

The helper binary is signed with Anthropic PBC's Developer ID certificate, bears an Apple RFC 3161 timestamp, and ships inside a notarised bundle. This is not a test artifact. It is a signed, notarised, shipped capability. — Verified via codesign -dvv output in the post

§ 03

Claim-by-claim validation.

Click any claim to see how it holds up against primary sources (Anthropic's own docs, GitHub issues, The Register, Malwarebytes, independent reviewers). Confidence ratings are mine.

§ 04

The attack path, if it ever lights up.

At rest, the binary is dormant. These are the four steps from "user opens a web page" to "out-of-sandbox code runs as the user". Click a node to see what would have to happen.

STEP 01 · Entry

Hostile instruction reaches the extension

Prompt injection, extension supply-chain compromise, or XSS on a trusted origin.

STEP 02 · Bridge

Browser invokes the pre-authorised manifest

Chrome reads the manifest, matches the extension ID, spawns the binary.

STEP 03 · Execution

Signed binary runs at user privilege

Code-signed by Anthropic PBC (Q6L2SF6YDW). Outside Chromium's sandbox. Inside your user context.

STEP 04 · Impact

Authenticated session access, DOM read, form filling

Anthropic's own capability list becomes the attacker's capability list.

Step 01 · Hostile instruction reaches the extension Either (a) the user visits a page containing a prompt injection, (b) an attacker compromises one of the three pre-authorised extension IDs via Chrome Web Store takeover, a forced update, or enterprise policy sideload, or (c) the Arkose-style XSS chain used by ShadowPrompt in January repeats. Any one of these is enough to make the browser extension behave hostilely. Anthropic's own telemetry puts prompt injection success at 23.6% without defences, 11.2% with the mitigations available when Claude for Chrome shipped. Latest (Opus 4.5) numbers are closer to 1%, but ShadowPrompt proved classifier-based defences can be bypassed.

§ 05

The counterpoint, fairly.

The Lobsters thread and Malwarebytes' follow-up raised reasonable objections. These are the strongest ones, with my read on each.

"It's a nothing burger. The file does nothing on its own."

Weight: real. The manifest is inert until Chrome invokes it. And Chrome only invokes it when a matching extension calls connectNative(). So on a machine with no Claude browser extension installed, the binary never runs. This is mechanically true.
My read: Dormancy narrows the threat but does not remove it. The point of a pre-staged hook is that it collapses the number of install steps an attacker needs from three to one. Two bugs make that matter: (1) the list of "approved" extensions is under Anthropic's control and can change in any future release, and (2) enterprise policy or malicious sideloading can push one of those three IDs without user involvement at all.

"1Password, Adobe, KeePassXC all do this too."

Weight: partial. Yes, 1Password absolutely ships NM manifests into Chromium directories including ones for browsers not installed. Adobe and Microsoft have been doing similar registry writes on Windows for years. The pattern is genuinely industry standard.
My read: KeePassXC is the counter-example that breaks this defence. It shows a per-browser explicit opt-in dialog the first time you enable browser integration. It proves the UX is possible, not prohibitively expensive, and that users can handle it. The "everyone does it" argument is weaker than it looks when one respected peer in the same category demonstrably does not.

"Consent is given when you install the Chrome extension, which asks for 'Communicate with cooperating native applications'."

Weight: partial. Chrome's install flow does surface that permission. A user installing Claude in Chrome has, technically, consented to native messaging for that extension.
My read: This argument falls over in two places. First, the Desktop-side manifest is installed before any extension is installed, which is backwards: consent at install time of the extension cannot retroactively authorise file writes that already happened months earlier. Second, the manifest is written into browsers the user does not have and has never consented to anything about. There is no extension install flow to piggyback on for an absent browser.

"There's no mechanism for the browser to install the manifest itself, so the desktop app has to."

Weight: true but beside the point. Correct, Chrome does not let the Web Store trigger native host registration. A separate desktop process must write the file.
My read: This explains why Anthropic's desktop app has to do the write. It does not explain why the write has to be silent, unscoped, for browsers the user has not installed, and rewritten on every launch. None of those design decisions follow from the mechanical constraint.

§ 06

How this compares across the industry.

Native Messaging is in use across password managers, security tools, note apps, and AI clients. The behaviour varies more than you'd think.

Vendor	Asks before writing?	Writes to absent browsers?	Surfaces the integrations list in-app?	Removal persists?
Claude Desktop (Anthropic)	NO	YES · 7 browsers	NO	NO · rewrites on launch
1Password	NO	YES	PARTIAL	NO
KeePassXC	YES · per browser	NO	YES · Settings tab	YES
Bitwarden	TOGGLE IN-APP	NO	YES	YES
Claude Code (same vendor, diff product)	IMPLICIT · CLI flag	ONLY ON /chrome	YES · /chrome status	PARTIAL

Note the last row: Anthropic's other product, Claude Code, handles this substantially better. It installs the manifest only when the user runs /chrome and explicitly opts in. The pattern exists inside Anthropic already. Desktop just didn't adopt it.

§ 07

Risk assessment for security teams.

If Claude Desktop is in your endpoint fleet or approved software list, this matters. Here is the framing I'd bring to a CISO conversation.

Composite exposure rating

Today (dormant): Low direct impact. No network traffic, no data read, no capability exercised until a matching extension runs. Endpoint detection will not flag this as an IOC.
With extension installed: Medium. Documented capabilities (session access, DOM read, form fill) are powerful. Real-world prompt injection rate against Claude for Chrome was 23.6% at launch, ~1% with latest Opus 4.5 defences, but ShadowPrompt (Jan 2026) proved classifier-based defences can be fully bypassed by chained web flaws.
On supply-chain compromise: High. An attacker who takes over any of the three pre-authorised extension IDs (Chrome Web Store account compromise, malicious Anthropic build, rogue insider) inherits an already-authorised path to out-of-sandbox code execution on every Claude Desktop install globally.
Regulatory (EU): Medium-high. Article 5(3) ePrivacy is clearly in scope. Whether it's breached is litigable. A DPA complaint is likely; the penalty exposure for Anthropic is real but probably not existential. The enterprise exposure for customers running Claude Desktop on corporate devices is more nuanced.
Reputational (for Anthropic): Medium. The "safety-conscious AI lab" brand is the one that takes the hit. The Register, Malwarebytes, gHacks already covered it. As of 24 Apr 2026, no Anthropic public response.

Composite rating

5.8

out of 10 · medium

CONFIDENCE: HIGH

If you run a security team: what I'd do this week.

Inventory Claude Desktop installs across your macOS fleet. MDM query on com.anthropic.claudefordesktop.
Check whether any of your users have also installed the Claude in Chrome extension (ID fcoeoabgfenejglbffodgkkbkcdhcgfn). That's the combination that activates the bridge.
Decide policy: block, allow with extension disabled, or allow fully. Most enterprises will land on "allow, extension disabled" until Anthropic ships an affirmative consent flow.
Consider adding ~/Library/Application Support/*/NativeMessagingHosts/com.anthropic.*.json to your EDR monitoring path set. If they get rewritten outside a user-initiated Claude Desktop launch, that's an IOC.
Watch for Anthropic's next Claude Desktop release. If it still writes silently, escalate to your vendor risk process.

§ 08

Timeline of the whole story.

Aug 2025

Claude for Chrome launches as research preview

Anthropic ships the Chrome extension with 100-user waitlist. Launch blog openly publishes the 23.6% / 11.2% prompt injection success rates. Positioned as safety-aware research rollout.

Dec 20, 2025

First manifest birth time on researcher's machine

Chrome manifest created on test machine. Researcher did not install any Chrome extension or consent to the manifest.

Dec 26, 2025

Koi reports ShadowPrompt to Anthropic

DOM-based XSS in Arkose CAPTCHA + overly permissive origin allowlist. Any website could silently inject prompts into the Claude extension sidebar.

Jan 15, 2026

Anthropic patches extension to v1.0.41

Strict origin check added. Older versions remain vulnerable until Arkose pushes their own fix (Feb 19).

Jan 19, 2026

Six more manifests appear

Simultaneous timestamps across Arc, Brave, Chromium, Edge, Vivaldi, Opera. Four of them in browsers not on the disk. Claude Desktop wrote them.

Jan 23, 2026

GitHub issue #20341 opened

User darkneo29 files a bug: Claude Desktop's native messaging host intercepts Claude Code's Chrome extension connection. Issue confirms the two apps register conflicting manifests. Auto-closed by stale-bot Feb 28 without resolution.

Mar 26, 2026

Koi publishes ShadowPrompt research

Real-world proof that silent browser control via the Claude extension is achievable. Relevant because this is the exact trust path Hanff later warns about.

Apr 16, 2026

Helper binary re-signed. Manifests rewritten.

codesign timestamp on chrome-native-host: 16 Apr 2026 18:39:18. Every manifest's mod time: 16 Apr 2026 23:42:18. This is the most recent ship as of publication.

Apr 18, 2026

Hanff publishes "Anthropic secretly installs spyware"

Full audit report. ePrivacy violation claim. Independent reviewer Noah Kenney (Digital 520) confirms reproducibility for The Register.

Apr 20, 2026

Coverage broadens

The Register, gHacks, Malwarebytes, Let's Data Science all pick it up. Malwarebytes explicitly rejects the "spyware" label but accepts the core technical claim.

Apr 24, 2026 · today

No public Anthropic response

Anthropic has not commented publicly, has not pushed a Claude Desktop update, has not contacted the researcher. Regulatory complaint threatened but not filed.

§ 09

Detection and remediation.

Hover or tap the copy button on any block. Works on macOS. For Linux, swap the base path to ~/.config.

1. Find every Anthropic NM manifest

DETECTION · MACOS

find ~/Library/Application\ Support -name "com.anthropic.*.json" 2>/dev/null -exec ls -la {} \;

2. Confirm they are Claude Desktop's

PROVENANCE CHECK

for f in ~/Library/Application\ Support/*/NativeMessagingHosts/com.anthropic.claude_browser_extension.json ~/Library/Application\ Support/*/*/NativeMessagingHosts/com.anthropic.claude_browser_extension.json; do [ -f "$f" ] && echo "=== $f ===" && xattr -p -x com.apple.provenance "$f" 2>/dev/null; done

3. Read Claude Desktop's own install log

ADMIT-BY-LOG

grep -E "Chrome Extension MCP|Native host installation" ~/Library/Logs/Claude/main*.log 2>/dev/null | tail -40

4. Remove all bridges (until reinstall)

REMEDIATION · NOTE: REAPPEARS ON LAUNCH

find ~/Library/Application\ Support -name "com.anthropic.claude_browser_extension.json" -print -delete

5. Quit Claude Desktop completely

PERSISTENCE BREAK

/dev/null; pkill -f "Claude.app" 2>/dev/null; echo "Claude Desktop terminated. Bridges will not be rewritten until next launch."'>osascript -e 'quit app "Claude"' 2>/dev/null; pkill -f "Claude.app" 2>/dev/null; echo "Claude Desktop terminated."

6. Verify the Chrome extension is NOT installed

ACTIVATION-GUARD CHECK

find ~/Library/Application\ Support -type d -name "fcoeoabgfenejglbffodgkkbkcdhcgfn" 2>/dev/null

Caveat. Removing the manifest without uninstalling Claude Desktop is cosmetic. Claude Desktop rewrites it on every launch. The durable fixes are: (a) fully uninstall Claude Desktop, (b) replace the manifest path with a no-op binary under a file you own with mode 000 so Claude Desktop can't overwrite it (fragile), or (c) wait for Anthropic to ship a consent flow. Option (c) is the only one that scales.

§ 10

Primary sources.

Alexander Hanff. Anthropic secretly installs spyware when you install Claude Desktop. That Privacy Guy, 18 Apr 2026. thatprivacyguy.com
Thomas Claburn. Claude Desktop changes software permissions without consent. The Register, 20 Apr 2026. Independent verification via Noah Kenney (Digital 520). theregister.com
Pieter Arntz. Researcher claims Claude Desktop installs "spyware" on macOS. Malwarebytes, 22 Apr 2026. Rejects "spyware" label while accepting the core technical finding. malwarebytes.com
gHacks staff. Claude Desktop silently installs browser extension files for browsers not installed. 21 Apr 2026. ghacks.net
Anthropic. Piloting Claude for Chrome. 26 Aug 2025. Source of the 23.6% / 11.2% figures. anthropic.com
Anthropic. Mitigating the risk of prompt injections in browser use. Latest Opus 4.5 figures (approximately 1% attack success). anthropic.com
Koi Research. ShadowPrompt: How any website could have hijacked Claude's Chrome extension. 26 Mar 2026. koi.ai
Anthropic. GitHub issues #20341 and #20887. Internal acknowledgment of the Claude Desktop native messaging host registration. Both auto-closed by stale-bot. github.com
European Parliament and Council. Directive 2002/58/EC (ePrivacy Directive), Article 5(3). eur-lex.europa.eu
Chrome Developers. Native Messaging. developer.chrome.com

Assumptions made in this analysis

Hanff's audit output (MD5 hashes, timestamps, log excerpts) was not fabricated. This is corroborated by The Register's independent reviewer, gHacks, and Anthropic's own GitHub issues documenting the same manifest filename and path.
Anthropic's publicly stated prompt injection figures (23.6% / 11.2% at launch, approximately 1% with Opus 4.5) reflect the system as of their publication dates. Real-world rates may differ, as ShadowPrompt demonstrated.
The "composite rating" in Section 07 is my professional judgment applied to the published evidence, not a formal CVSS or FAIR calculation. Others may weight regulatory exposure higher or lower depending on jurisdiction.
Behaviour described here is macOS-specific. Windows and Linux behaviour has not been independently audited at time of writing.
The article publication date (18 Apr 2026) and the codesign timestamp on the helper binary (16 Apr 2026) imply this behaviour was live in the most recent Claude Desktop release when the article ran. If Anthropic ships a silent fix between now and when you read this, the findings may no longer apply to your install.

Dossier prepared for internal review · 24 Apr 2026 Signed: Syed Ishaq B. · ishaqzafar.com