{“lastseen”:”2026-04-22T12:05:07″,”description”:”Security researcher Alexander Hanff wrote an article titled Anthropic secretly installs spyware when you install Claude Desktop.\\n\\nClaims like that are bound to create two sides, so we searched for an official rebuttal by Anthropic. But we couldn\u2019t find one. It would surprise me very much if they\u2019d be unaware of the claim, since there\u2019s been some noise about it.\\n\\nUsers on Mastodon, Reddit, and LinkedIn are confirming the researcher\u2019s findings and discussing the subject, so it\u2019s hard to imagine Anthropic missed it.\\n\\nLet\u2019s look at the claims first.\\n\\nWhile looking into another matter, the researcher discovered a Native Messaging host manifest on his Mac that he did not knowingly install. On Chrome and other Chromium-based browsers, extensions can exchange messages with native applications if they register a native messaging host that can communicate with the extension. \\n\\nBy testing on a clean machine, Hanff discovered that Installing Claude Desktop for macOS drops a Native Messaging host manifest into multiple Chromium profiles (Chrome, Edge, Brave, Arc, Vivaldi, Opera, Chromium), even including for browsers that are not actually installed yet.\\n\\nThe Native Messaging host manifest tells a Chromium\u2011based browser which local executable to invoke when an extension calls a native host, and those hosts run outside the browser sandbox with current users permissions. Hanff therefore describes this as a \u201cbackdoor.\u201d The manifest pre\u2011authorizes three Chrome extension IDs, so any extension with those IDs can call the helper via `connectNative`, giving it access to browser automation features.\\n\\nAnother objection is that Claude makes simple deletion futile since the manifest will be recreated the next time the user launches Claude Desktop.\\n\\nIt\u2019s important here to point out that his article is about Claude Desktop, the Electron-based macOS application with bundle identifier `com.anthropic.claudefordesktop`, distributed as Claude.app. It is not about Claude Code, Anthropic’s command line developer tool. Claude Code is autonomous (\\”agentic\\”), allowing you to hand over a task, and it handles the planning and execution until done. So, for Claude Code, it would absolutely make sense to enable communication with browsers, provided they are present on the target system.\\n\\nSo, we have an application that writes into other apps\u2019 profile\/support directories (the browsers\u2019 configuration area) and can act as the user, with capabilities like using the logged\u2011in browser session, DOM inspection, data extraction, form filling, and session recording. This expands the attack surface of every machine this manifest is dropped on, without asking for consent. \\n\\nAnthropic\u2019s own launch blog on \u201cClaude for Chrome,\u201d which discusses Anthropic\u2019s internal red\u2011team experiments, explicitly mentions prompt injection as a key risk and reports attack success rates of 23.6% (no mitigations) and 11.2% (with mitigations). Hanff cites this to argue that a pre\u2011positioned bridge is a non\u2011trivial risk.\\n\\n## How bad is it?\\n\\nNative Messaging is a standard Chromium mechanism. Nothing here is an unknown or exotic technique per se. Chrome\u2019s own documentation explains that Native Messaging hosts run at user privilege and are invoked by browser extensions through a manifest file. And as the researcher pointed out, the bridge does nothing. But it could potentially be abused.\\n\\nI don\u2019t think it\u2019s fair to say that Claude Desktop installs spyware, but it does open a system up by expanding the attack surface.\\n\\nAnthropic already had a separate, documented Native Messaging manifest for Claude Code that users sometimes manually copied into other Chromium browsers; the new behavior is that Claude Desktop now drops a Claude\u2011Desktop\u2011related manifest into multiple browser paths automatically.\\n\\nIt requires a combination of extension and host. Only combined with a matching browser extension, this bridge enables the user-like capabilities we listed earlier.\\n\\n## What we don\u2019t know yet\\n\\nAnthropic hasn’t published a detailed technical privacy spec for the Claude Desktop\u2013browser bridge, so we don\u2019t know exactly what data flows when the Chrome integration is used, beyond the general capabilities described in their documentation (session access, DOM reading, etc.).\\n\\nThe detailed analysis and most replication so far are on macOS. We’re in the dark about behavior on Windows and Linux, and the same is true across different browser install paths. That behavior has also not been comprehensively documented in public write\u2011ups.\\n\\nI did reach out to Anthropic asking for a response. If and when we get an official response from Anthropic, I\u2019ll add it here, so stay tuned.\\n\\n## Conclusion\\n\\nAnthropic likely wanted \u201cClaude in Chrome\u201d\u2011style capabilities across Chromium\u2011based browsers, but that doesn’t excuse doing it silently and preinstalling the manifest into profile directories for multiple browsers, including ones that are not yet installed.\\n\\nThere are better ways to implement changes like these, and users should at least be made aware of them so they can weigh the advantages against the potential risks.\\n\\n* * *\\n\\n**Stop threats before they can do any harm.**\\n\\nMalwarebytes Browser Guard blocks phishing pages and malicious sites automatically. Free, one click to install. Add it to your browser \u2192”,”published”:”2026-04-22T11:53:11″,”modified”:”2026-04-22T11:53:11″,”type”:”malwarebytes”,”title”:”Researcher claims Claude Desktop installs \u201cspyware\u201d on macOS”,”source”:””,”references”:””,”id”:”MALWAREBYTES:FC69A1E3B91413A4F4DC22F5E32ECEA0″,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2026\/04\/researcher-claims-claude-desktop-installs-spyware-on-macos”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-04-22T12:05:07″,”description”:”Security researcher Alexander Hanff wrote an article titled Anthropic secretly installs spyware when you install Claude Desktop.\\n\\nClaims like that are bound to create two sides,…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-48682","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n