Claude Desktop on macOS Accused of Silently Preauthorizing Browser Access
Anthropic’s Claude Desktop for macOS has been accused of silently installing Native Messaging manifest files that preauthorize its browser extensions to communicate with a local helper binary across multiple Chromium-based browsers, including Chrome, Brave, Edge, Arc, Vivaldi, and Opera. Researcher Alexander Hanff reported that the manifests can be written even for browsers not currently installed, meaning future Chromium-based browsers added to the system could automatically inherit the trust relationship. The manifests reportedly authorize specific extension IDs to access a local executable outside the browser sandbox, creating a persistent browser-to-local bridge without clear user notification or consent.
Security researchers said the behavior expands the host attack surface because a compromised or maliciously updated authorized extension could potentially trigger out-of-sandbox actions with the user’s privileges. Reports also said Anthropic’s browser integrations are designed to inspect the DOM, extract structured data, fill forms, and use login state, raising concerns that sensitive content such as private messages, banking sessions, and typed credentials could be exposed if the bridge were abused. Commentators disputed labeling the feature as outright "spyware," but agreed that silently deploying the manifests creates significant transparency, privacy, and compliance concerns, including possible issues under the EU ePrivacy Directive and related computer misuse rules; Anthropic had not publicly issued a detailed technical rebuttal in the cited reports.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
2 events from the most recent confirmed update back to the earliest known activity.
Media reports amplify security and privacy concerns around Claude Desktop behavior
Subsequent coverage highlighted that the preinstalled manifests expand the local attack surface by enabling authorized browser extensions to invoke a native host with the current user's privileges. Reports also noted potential exposure of sensitive browser content through Claude's browser integration features and raised possible legal concerns under EU ePrivacy or computer misuse rules.
Researcher publishes findings on Claude Desktop's silent browser bridge installs
On his blog, privacy researcher Alexander Hanff reported that Claude Desktop for macOS silently installs Native Messaging manifest files for multiple Chromium-based browsers without user consent. He said the manifests can be created even for browsers not yet installed, preauthorizing Anthropic browser extensions to communicate with a local helper binary outside the browser sandbox.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Claude Desktop Reportedly Adds Browser Access Bridge to Multiple Chromium-Based Browsers
cybersecuritynews.com
Open sourceResearcher claims Claude Desktop installs “spyware” on macOS | Malwarebytes
malwarebytes.com
Open sourceClaude Desktop Silently Installs Browser Extension Files for Browsers Not Installed - gHacks Tech News
ghacks.net
Open sourceAnthropic secretly installs spyware when you install Claude Desktop - That Privacy Guy!
thatprivacyguy.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Claude Chrome Extension Flaw Let Other Browser Plugins Hijack AI Actions
Researchers at LayerX disclosed a critical flaw in Anthropic’s Claude Chrome extension that allowed **any other Chrome extension**, including ones with no declared permissions, to send hidden instructions to Claude and abuse its browser automation features. The issue reportedly stemmed from the extension trusting messages associated with the `claude.ai` origin without properly authenticating the true sender, creating a cross-extension privilege escalation path. In proof-of-concept attacks, LayerX said it used the weakness to extract files from Google Drive, read and send Gmail messages, steal code from connected private GitHub repositories, and even summarize or delete recent emails to conceal activity. Anthropic said the bug had already been identified internally and released version `1.0.70` with mitigations, including approval flows for privileged actions, but LayerX reported that the fix was incomplete and that takeover remained possible through privileged mode and side-panel initialization paths. The researchers said the flaw exposed a broader trust-boundary problem in AI browser assistants, where interface-based approvals and safety guardrails can be bypassed if extensions fail to verify message origin and execution context. Separate White House discussions about tighter oversight of advanced AI models, including Anthropic systems with offensive cyber capabilities, underscored growing concern over how powerful AI tools are secured before deployment.
May 12, 2026
Chromium Flaws Expose Browsers to Persistent Abuse and Session Theft
A serious unpatched **Chromium** vulnerability was accidentally exposed after Google engineers marked the issue as fixed without shipping a patch, causing the bug report and proof-of-concept to become public. The flaw, originally reported in 2022, abuses the **Background Fetch API** to keep a Service Worker and malicious JavaScript running after the browser is closed and, in some cases, even after a device reboot. Affected products include **Chrome**, **Microsoft Edge**, **Brave**, **Opera**, **Vivaldi**, and **Arc**. The bug could let attackers abuse victims’ browsers for proxying traffic, launching DDoS activity, opening websites, and tracking user behavior; Google later re-hid the report and said it is working on a fix. Separately, researchers analyzing the **VoidStealer** infostealer found it can bypass Chrome’s **Application-Bound Encryption (ABE)** on Windows by attaching to the browser as a debugger, intercepting the moment Chrome decrypts protected data, and extracting the master key from memory. That technique enables theft of cookies, sessions, and other sensitive browser data, and the risk extends to other Chromium-based browsers using the same protection model. Together, the disclosures show that Chromium ecosystems face both browser-level persistence abuse and post-compromise data theft, with defenders urged to watch for unusual download-menu behavior, keep browsers updated as fixes arrive, and harden endpoints against infostealer activity.
May 24, 2026
Claude Chrome Extension Flaw Enabled Zero-Click Prompt Injection via Trusted Subdomain XSS
Researchers disclosed a critical zero-click vulnerability chain in Anthropic’s Claude Chrome extension that allowed a malicious website to inject prompts into the AI assistant without any user interaction. The attack relied on the extension trusting any `*.claude.ai` origin and a DOM-based XSS flaw in an older Arkose Labs CAPTCHA component hosted on `a-cdn.claude.ai`; by loading the vulnerable component in a hidden iframe and sending a crafted `postMessage`, attacker-controlled JavaScript could appear to come from a trusted Claude origin and submit prompts as the victim. Successful exploitation could have exposed more than 3 million users to account and data compromise, including theft of Gmail OAuth tokens, access to Gmail, Google Drive, and Claude chat history, and invisible actions such as sending emails on the user’s behalf. KOI Security researcher Oren Yomtov reported the issue to Anthropic in late December 2025, Anthropic patched the extension by tightening origin validation to `https://claude.ai` in January 2026, and Arkose Labs separately fixed the XSS issue in February 2026 after the vulnerable resource was disabled.
Mar 27, 2026