Anthropic silently installed a spyware bridge on my machine
I was working on a personal project, debugging a Native Messaging helper I had written for it. In the process I needed to check what Brave Browser had registered on my laptop. What I found was a file I had never put there. It was not mine. I had not installed it. I had not authorised it. I had not even been told about it.
It was from Anthropic.
The file sits at this path on my MacBook:
~/Library/Application Support/BraveSoftware/Brave-Browser/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
And its contents are this:
{
"name": "com.anthropic.claude_browser_extension",
"description": "Claude Browser Extension Native Host",
"path": "/Applications/Claude.app/Contents/Helpers/chrome-native-host",
"type": "stdio",
"allowed_origins": [
"chrome-extension://dihbgbndebgnbjfmelmegjepbnkhlgni/",
"chrome-extension://fcoeoabgfenejglbffodgkkbkcdhcgfn/",
"chrome-extension://dngcpimnedloihjnnfngkgjoidhnaolf/"
]
}
For the non-technical reader, this is a Native Messaging manifest [1]. It is the document a Chromium-based browser consults when a browser extension wants to call an executable on the local machine. Native Messaging hosts run outside the browser sandbox, at the same privilege level as the user [1]. If a browser extension with one of the three IDs listed above reaches my Brave install, Brave is pre-authorised to spawn the binary at /Applications/Claude.app/Contents/Helpers/chrome-native-host on my laptop with my access permissions.
I did not install any Anthropic browser extension. I have never installed a Claude browser extension due to privacy and security concerns. I did install Claude Desktop, the Mac app, a while back. That is the only thing on this machine which could have written the file. Claude Desktop reached into Brave, a browser from a completely separate vendor, and registered a back door for a browser extension I do not have.
One clarification before I continue, because the Anthropic ecosystem has two products whose names blur together. This article is about Claude Desktop, the Electron-based macOS application with bundle identifier com.anthropic.claudefordesktop, distributed as Claude.app. It is not about Claude Code, Anthropic's command line developer tool. Claude Code has its own, separately documented [2], Native Messaging bridge with the filename com.anthropic.claude_code_browser_extension.json. The bridge this article is about is installed under a different filename, com.anthropic.claude_browser_extension.json, by a different product, under a different internal subsystem, and is entirely undocumented by Anthropic. The two bridges coexist. This article concerns the undocumented one.
I want to be blunt. This is a dark pattern. It is also, in my professional opinion, a direct breach of Article 5(3) of Directive 2002/58/EC (the ePrivacy Directive) [3] as well as a multitude of computer access and misuse laws (usually criminal law), on a scale large enough to matter, in a vendor which has spent considerable effort on being perceived as the safety conscious AI lab.
What the bridge does when it is woken up
At rest, the bridge does nothing. The binary does not run until a browser extension with one of the three listed IDs calls it. So on my machine, right now, nothing is happening. That is the one argument Anthropic will try to hide behind. Let me cut through it in advance.
When the paired extension is present and the bridge is activated, it exposes browser automation capabilities to whatever agentic process Claude is running. Anthropic describe those capabilities in their own public documentation [2]. In their own words:
"Claude opens new tabs for browser tasks and shares your browser's login state, so it can access any site you're already signed into."
"Live debugging: read console errors and DOM state directly, then fix the code that caused them."
"Data extraction: pull structured information from web pages and save it locally."
"Task automation: automate repetitive browser tasks like data entry, form filling, or multi-site workflows."
"Session recording: record browser interactions as GIFs to document or share what happened."
That is explicit authenticated session access, DOM state read, form filling, and screen capture, described by Anthropic on their own documentation site. If I have my bank open in a tab, the bridge's documented capabilities include reading it as me. If I have Tax, or my Health portal, or a client's Slack, or an admin console to production infrastructure, the documented capabilities include acting as me there.
The bridge runs outside the browser's sandbox at user privilege level [1], and Native Messaging hosts do not surface in any standard macOS process or permission UI, they are invoked by the browser and communicate over stdio.
This is the capability that Anthropic pre-stages on my laptop the moment I install their desktop application. Without telling me. Without asking me. Without offering me the chance to say no.
Claude for Chrome itself, incidentally, is still branded "beta" as of April 2026, having launched as a research preview in August 2025 and rolled out more broadly through late 2025 [4]. Anthropic's own launch announcement openly acknowledges that prompt injection is a central safety challenge, stating a 23.6% attack success rate when targeted by malicious actors before any mitigations, and 11.2% with their current defences [4]. The feature silently pre-installed on every user's laptop who has ever run Claude.app is, by Anthropic's own measurements, compromisable by a prompt injection roughly one time in four.
Full audit report
Here is the audit I ran on a second machine where I reproduced the finding.
1. Locate every Anthropic Native Messaging manifest on the machine
$ find ~/Library/Application\ Support -name "com.anthropic.claude_browser_extension*"
~/Library/Application Support/Arc/User Data/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
~/Library/Application Support/BraveSoftware/Brave-Browser/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
~/Library/Application Support/Chromium/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
~/Library/Application Support/Google/Chrome/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
~/Library/Application Support/Microsoft Edge/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
~/Library/Application Support/Vivaldi/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
~/Library/Application Support/com.operasoftware.Opera/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
Seven files, one per Chromium-based browser path.
2. Confirm every manifest is identical
$ md5 -q ~/Library/Application\ Support/*/NativeMessagingHosts/com.anthropic.claude_browser_extension.json \
~/Library/Application\ Support/*/*/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
1e927a9e7796d0175a2a1f30028f4baa
1e927a9e7796d0175a2a1f30028f4baa
1e927a9e7796d0175a2a1f30028f4baa
1e927a9e7796d0175a2a1f30028f4baa
1e927a9e7796d0175a2a1f30028f4baa
1e927a9e7796d0175a2a1f30028f4baa
1e927a9e7796d0175a2a1f30028f4baa
Every file has the same MD5 hash. The seven manifests are byte for byte identical.
3. List browsers actually installed on the machine
$ ls /Applications/ | grep -iE "chrome|brave|safari|edge|opera|vivaldi|arc|chromium|firefox|tor"
Brave Browser.app
Google Chrome.app
Safari.app
Tor Browser.app
The Chromium-or-adjacent browsers present in /Applications on this machine are Brave, Chrome, Safari, and Tor. Of the seven browsers where the manifest was installed, four (Edge, Chromium, Arc, Vivaldi, Opera, minus Brave and Chrome) are not present on the machine.
4. Inspect when the Native Messaging directories were created, and when the manifests were last modified
$ stat -f "birth:%SB mod:%Sm %N" ~/Library/Application\ Support/*/NativeMessagingHosts/com.anthropic.claude_browser_extension.json \
~/Library/Application\ Support/*/*/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
birth:Jan 19 08:19:15 2026 mod:Apr 16 23:42:19 2026 .../Arc/User Data/NativeMessagingHosts/...
birth:Jan 19 08:19:15 2026 mod:Apr 16 23:42:19 2026 .../BraveSoftware/Brave-Browser/NativeMessagingHosts/...
birth:Jan 19 08:19:15 2026 mod:Apr 16 23:42:19 2026 .../Chromium/NativeMessagingHosts/...
birth:Dec 20 04:18:42 2025 mod:Apr 16 23:42:18 2026 .../Google/Chrome/NativeMessagingHosts/...
birth:Jan 19 08:19:15 2026 mod:Apr 16 23:42:19 2026 .../Microsoft Edge/NativeMessagingHosts/...
birth:Jan 19 08:19:15 2026 mod:Apr 16 23:42:19 2026 .../Vivaldi/NativeMessagingHosts/...
birth:Jan 19 08:19:15 2026 mod:Apr 16 23:42:19 2026 .../com.operasoftware.Opera/NativeMessagingHosts/...
Birth times (file creation): the Chrome manifest was first created on 20 December 2025. The other six manifests share an identical birth time of 19 January 2026 at 08:19:15.
Modification times: every manifest was last rewritten at 16 April 2026 at 23:42:18 or 23:42:19.
Birth times differ from modification times by months, which means these files have been rewritten after creation, not just created once.
5. Read Claude Desktop's own log
Claude Desktop keeps its own log at ~/Library/Logs/Claude/main.log. It openly records the install under the internal subsystem name Chrome Extension MCP:
$ grep -E "Chrome Extension MCP|App is installed" ~/Library/Logs/Claude/main.log
2026-03-21 14:54:39 [info] App is installed, enabling initial check and auto-updates
2026-03-21 14:54:40 [info] [Chrome Extension MCP] Installed native host manifest for Chrome at /Users/alexanderhanff/Library/Application Support/Google/Chrome/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
2026-03-21 14:54:40 [info] [Chrome Extension MCP] Installed native host manifest for Brave at /Users/alexanderhanff/Library/Application Support/BraveSoftware/Brave-Browser/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
2026-03-21 14:54:40 [info] [Chrome Extension MCP] Installed native host manifest for Edge at /Users/alexanderhanff/Library/Application Support/Microsoft Edge/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
2026-03-21 14:54:40 [info] [Chrome Extension MCP] Installed native host manifest for Chromium at /Users/alexanderhanff/Library/Application Support/Chromium/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
2026-03-21 14:54:40 [info] [Chrome Extension MCP] Installed native host manifest for Arc at /Users/alexanderhanff/Library/Application Support/Arc/User Data/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
2026-03-21 14:54:40 [info] [Chrome Extension MCP] Installed native host manifest for Vivaldi at /Users/alexanderhanff/Library/Application Support/Vivaldi/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
2026-03-21 14:54:40 [info] [Chrome Extension MCP] Installed native host manifest for Opera at /Users/alexanderhanff/Library/Application Support/com.operasoftware.Opera/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
2026-03-21 14:54:40 [info] [Chrome Extension MCP] Native host installation complete
Counting all install events in Claude Desktop's logs:
$ grep -c "Native host installation complete" ~/Library/Logs/Claude/main.log ~/Library/Logs/Claude/main1.log
~/Library/Logs/Claude/main.log:7
~/Library/Logs/Claude/main1.log:24
Thirty-one install events. Each one is Claude Desktop recording, in its own log, under the internal subsystem name Chrome Extension MCP, that it installed the native host manifest for seven named browsers. The operation is recorded as complete.
6. Inspect the code signature of the helper binary
$ codesign -dvv /Applications/Claude.app/Contents/Helpers/chrome-native-host
Executable=/Applications/Claude.app/Contents/Helpers/chrome-native-host
Identifier=chrome-native-host
Format=Mach-O universal (x86_64 arm64)
CodeDirectory v=20500 size=2334 flags=0x10000(runtime) hashes=62+7 location=embedded
Signature size=9046
Authority=Developer ID Application: Anthropic PBC (Q6L2SF6YDW)
Authority=Developer ID Certification Authority
Authority=Apple Root CA
Timestamp=16 Apr 2026 at 18:39:18
TeamIdentifier=Q6L2SF6YDW
Runtime Version=26.1.0
The helper binary is a universal Mach-O executable. It is code signed with Anthropic PBC's Developer ID Application certificate (team identifier Q6L2SF6YDW). The signature carries an RFC 3161 secure timestamp of 16 April 2026 at 18:39:18, from Apple's timestamp authority.
7. Inspect the notarisation status of the enclosing bundle
$ stapler validate /Applications/Claude.app
Processing: /Applications/Claude.app
The validate action worked!
$ stapler validate /Applications/Claude.app/Contents/Helpers/chrome-native-host
Processing: /Applications/Claude.app/Contents/Helpers/chrome-native-host
chrome-native-host does not have a ticket stapled to it.
The bundle Claude.app has a stapled Apple notarisation ticket. The helper binary inside the bundle does not have its own stapled ticket; it is covered by the notarisation of the enclosing bundle.
8. Check the macOS provenance metadata on the manifest files
Modern macOS tracks, via the extended attribute com.apple.provenance, which application wrote a given file. The attribute is controlled by the operating system and cannot be forged by the writing application.
$ xattr -p -x com.apple.provenance ~/Library/Application\ Support/BraveSoftware/Brave-Browser/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
01 02 00 35 B5 F7 46 B2 6C 42 87
$ xattr -p -x com.apple.provenance ~/Library/Application\ Support/Microsoft\ Edge/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
01 02 00 35 B5 F7 46 B2 6C 42 87
$ xattr -p -x com.apple.provenance ~/Library/Logs/Claude/main.log
01 02 00 35 B5 F7 46 B2 6C 42 87
The provenance signature is byte for byte identical across the Brave manifest, the Edge manifest, and Claude Desktop's own log file. The application that wrote the log is Claude Desktop. The same application wrote the manifests.
9. Check Anthropic's own public position on the browsers they targeted
Anthropic's public Claude Code documentation [2] states:
"Chrome integration is in beta and currently works with Google Chrome and Microsoft Edge. It is not yet supported on Brave, Arc, or other Chromium-based browsers."
The install is into Brave, Arc, Chromium, Vivaldi, and Opera, in addition to Chrome and Edge.
Dark patterns
1. Forced bundling across trust boundaries. I installed Claude Desktop. I did not install anything into Brave. But Claude Desktop, an Anthropic application, reached across the trust boundary between two independent vendors, and wrote configuration into Brave's application directory. The principle that an application does not silently modify another application is so obvious it rarely gets stated. Anthropic broke it in silence.
2. Invisible default, no opt-in. I was not asked, during Claude Desktop's install, first launch, or normal use, "Would you like Claude to register a browser integration bridge in Brave? Allow, or Deny." I saw no checkbox, no consent screen, and no post install settings pane listing integrations Claude Desktop had registered. The install happened, and the file appeared.
3. More difficult to remove than install. Adding the manifest took zero clicks on my part. Discovering the manifest required me to know that Chrome Native Messaging hosts exist, know where they live on macOS, know that ~/Library/Application Support has been hidden from Finder by default since 2011, and open a terminal. Removing the manifest is not sufficient: Claude Desktop's own log, on a second machine where I reproduced the finding, shows thirty-one separate install events across its log files, and the file modification timestamps on every manifest record their last rewrite on 16 April 2026 at 23:42:19, months after their initial creation. Claude Desktop rewrites the manifests on every launch. Deleting the file without removing Claude Desktop results in the file reappearing the next time Claude Desktop runs.
4. Pre-authorisation of software the user has not installed. The manifest pre-authorises three Chrome extension IDs. I have installed zero of them. All three are now whitelisted to spawn an out of sandbox helper on my laptop.
5. Scope inflation through generic naming. The manifest is called com.anthropic.claude_browser_extension. That name describes the thing. It does not describe the scope. A user auditing their filesystem sees a Claude integration and thinks "well, I have Claude Desktop installed, this is Claude's thing." They do not think "this hands out of sandbox control of my browser, across every one of my authenticated sessions, to whichever of three extension IDs Anthropic decides to ship."
Accurate naming would be something like com.anthropic.browser_agent_bridge, with a description field that honestly stated what the bridge does: out of sandbox code execution, authenticated session access, full DOM read. The name Anthropic chose sounds harmless. That is exactly the point.
6. Registration into software the user has not installed. On the second machine, four of the seven browsers into which Claude Desktop wrote the manifest, Edge, Arc, Vivaldi, and Opera, are not installed. Claude Desktop created the NativeMessagingHosts parent directories for those four browsers on 19 January 2026 at 08:19:15, the same timestamp cluster as the initial manifests, and the browsers themselves are not present in /Applications. If I ever install any of those four browsers in future, the bridge is already in place, pre-authorised, from the moment of first launch.
7. Registration into browsers Anthropic publicly says it does not support. Anthropic's own documentation states that Claude's Chrome integration only supports Chrome and Edge, and does not support Brave, Arc, or other Chromium-based browsers. Claude Desktop's log shows installs into Brave, Arc, Chromium, Vivaldi, and Opera. The documented position and the shipped behaviour diverge.
8. Fixed target list with no user visibility. The log shows installs into a fixed list of seven browsers. I found no macOS system UI, no browser UI, and no Claude.app UI that lists registered Native Messaging hosts. The list is discoverable only by reading Claude Desktop's own log, or by searching the filesystem for the manifest.
9. Automatic re-install on every run. Claude Desktop's logs record thirty-one separate Native host installation complete events across its current and archived log files. The manifests' modification timestamps confirm that the files have been rewritten long after their initial creation. Removal of a manifest does not persist.
10. Retroactive survival of user consent. Even if I eventually install Claude for Chrome with full informed consent, the consent I give at that moment is for the extension. It is not a re-consent for a pre-existing bridge installed earlier without my knowledge or consent, with broader scope than the extension needs, in browsers beyond the one I am consenting for.
11. Code signed, notarised, and shipped. The helper binary is signed with Anthropic PBC's Developer ID certificate (team Q6L2SF6YDW), bears an Apple RFC 3161 timestamp of 16 April 2026 at 18:39:18, and sits inside Claude.app, which has a stapled Apple notarisation ticket. It is distributed through Claude Desktop's normal release channel. This is a signed, notarised, shipped artefact, not an artefact of test builds or local development.
Security threats this creates
Dormant capability is not safe capability. The install expands the attack surface of every machine Anthropic has touched in the following ways. These are threat scenarios, not claims that the threats are currently being exploited.
Latent trigger supply chain exposure. Three Chrome extensions are pre-authorised to invoke the helper. If any one of them is compromised, by upstream Anthropic account takeover, by a malicious extension update pushed through the Chrome Web Store, by an enterprise policy sideload, or by a compromised build pipeline inside Anthropic itself, the attacker gets out of sandbox code execution on the victim's machine the moment the extension reaches the browser. Without the pre-registration, such an attack would require an additional step of writing the NM manifest, which either prompts the user or requires privilege escalation.
Prompt injection in the bridged extension. Anthropic's own safety data [4] states Claude for Chrome is vulnerable to prompt injection at a 23.6% success rate without mitigations, and 11.2% with their current mitigations. That is the success rate of an attacker delivering instructions hidden in a page the user visits. With the bridge pre-installed on the user's laptop, a successful prompt injection against Claude for Chrome has a path, through the extension, through the bridge, to a helper binary running outside the browser sandbox at user privilege.
Browser trust model inversion. I use Brave for reasons. Brave's security posture is one of those reasons. Silently registering an out of sandbox bridge inside Brave partially defeats Brave's posture without Brave's knowledge or mine. A user who chose Brave for hardening ends up with Chrome-equivalent exposure without having chosen it. Brave did not consent to this either.
No auditability. There is no macOS system UI, no browser UI, and no Claude.app UI that lists registered Native Messaging hosts. I found this by typing commands in a terminal.
Future scope creep. Anthropic controls the three pre-authorised IDs. Nothing in this install limits what future versions of Claude's extensions will be allowed to request via the bridge. A future version of the helper could expand its exposed capabilities without any further visible install action on the user's machine. The user consented to none of that. The user does not even know the hook is there.
Privacy threats this creates
Browser content is among the most privacy sensitive data on anyone's machine.
Authenticated session exposure. Anthropic's own documentation states that Claude for Chrome "shares your browser's login state" [2]. A bridge that inherits login state can act as the user on any site the user is signed into. No re-login. No extra prompt.
Rendered DOM access. The documented capabilities include reading DOM state and extracting structured information from web pages [2]. That includes content which never appears in URLs or network logs: decrypted private messages, form state mid type, in memory values. Content that HTTPS was invented to protect sits in plain text inside the DOM on the user's laptop, within the documented access scope of the bridge.
Form filling. The documented capabilities include data entry and form filling [2]. A tool that can fill a form can inspect its fields, including passwords at the moment they are entered, credit card numbers, two factor codes at the moment they appear on screen, and any autofill value the browser presents.
Cross profile correlation. Native Messaging hosts on macOS are registered at the browser level, not per profile [1]. One bridge is reachable from every profile in the browser simultaneously. Users who use profiles to silo personal, work, and research browsing lose that silo at the bridge layer.
Invalid consent. Even if the user eventually installs Claude for Chrome with full informed consent, the consent given at that moment is for the extension. It is not a re-consent for a pre-existing bridge, installed earlier without the user's knowledge or consent.
Is it spyware?
The honest description of what is on my machine is this: pre-installed spyware capability, silently placed, dormant, waiting for activation. The moment a paired extension lands, whether the user installs it, an enterprise policy pushes it, an attacker plants it, or Anthropic's own next update bundles it, the word "dormant" vanishes.
Anthropic will argue the binary is not currently doing anything harmful. That argument does not survive contact with the facts. The capability is installed. The trust relationship is established. The opt in was never requested. On the day the trigger arrives, none of that changes, except the binary starts running.
That argument also doesn't save them legally - the mere placing of the binary on the device and the creation of the folders to store it is a direct breach of Article 5(3) of Directive 2002/58/EC and a multitude of computer trespass and misuse laws.
What Anthropic should have done
None of the following is novel. Every point is standard desktop software practice in 2026.
Ask. First launch of Claude Desktop pops a dialogue. "Would you like Claude to control your browser? This requires installing a browser integration. Configure now, or skip, you can enable this later in Settings." Three sentences. Two buttons. Done.
Pull, not push. Install the NM manifest only as a downstream consequence of the user affirmatively installing the paired browser extension. The Chrome Web Store install click is already the consent event. Let it do its job. Do not front run it weeks earlier on the desktop side.
Scope strictly. When the user opts in, install into the browser they are opting in for. Do not mass register across every Chromium browser you find on the machine. Do not register into browsers that are not on the machine at all.
Surface it. In Claude.app's Settings, list every system integration currently registered. Browser bridges. Login items. Launch agents. Let the user revoke each one persistently, with a clear warning when revocation has a practical consequence.
Document it. Extend the Claude documentation to cover every place Claude Desktop installs NM manifests. Use distinct filenames for distinct products, so a user who finds one can match it to a documented feature. Then, stop doing those installs silently.
Retroactive consent. Users who installed earlier versions of Claude.app should be notified on next launch that their machine has pre-registered bridges, shown the list, and offered a one click revoke. Treat this as the trust erosion event it is. Not an implementation detail. Of course Opt-In would be better but given the barn doors were left wide open, it is a little late for that.
Per extension first connect prompt. Even with the paired extension installed, prompt the user the first time it calls
connectNativeto the Claude bridge. Let the user decide at the moment of actual capability activation, not weeks earlier inside a completely different application.
What Anthropic chooses to do next matters. A company cannot credibly claim to support human rights, as Anthropic have done in arguing against the use of their technology for war, and in the next breath undermine the fundamental human rights to privacy and data protection. I presume the next update of Claude Desktop will remove the bridge, or at minimum gate it behind affirmative user consent. If it does not, we will know what Anthropic's public safety posture is actually worth.
References
[1] Chrome Developers. "Native Messaging." https://developer.chrome.com/docs/extensions/develop/concepts/native-messaging
[2] Anthropic. "Use Claude Code with Chrome (beta)." https://code.claude.com/docs/en/chrome
[3] European Parliament and Council. Directive 2002/58/EC on privacy and electronic communications (ePrivacy Directive), Article 5(3). https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX:02002L0058-20091219
[4] Anthropic. "Claude for Chrome." https://claude.com/blog/claude-for-chrome
[5] Anthropic. "Claude in Chrome" extension. Chrome Web Store. https://chromewebstore.google.com/detail/claude/fcoeoabgfenejglbffodgkkbkcdhcgfn