- Anthropic’s Claude Desktop for macOS installs a Native Messaging manifest across every detected Chromium-based browser profile at installation time, without user notification, a pseudonymous researcher reported on April 20, 2026.
- The undocumented manifest is separate from the documented Claude Code browser bridge and pre-authorizes a local binary to run outside the browser sandbox at user privilege level.
- An audit found the manifest written to seven browser directories, including five browsers not installed on the test machine.
- Anthropic’s own launch documentation for the paired browser feature discloses an 11.2% prompt injection attack success rate after current mitigations.
What Happened
A pseudonymous security researcher publishing under the handle “That Privacy Guy” disclosed on April 20, 2026, that installing Claude Desktop on macOS causes the application to write a Native Messaging manifest — com.anthropic.claude_browser_extension.json — into the NativeMessagingHosts directory of every Chromium-based browser path it detects on the system, without prompting the user or disclosing the behavior during setup.
The researcher confirmed the finding on a second machine. An MD5 audit showed all seven installed manifests were byte-for-byte identical, covering Arc, Brave, Chromium, Google Chrome, Microsoft Edge, Opera, and Vivaldi profile paths.
Why It Matters
Native Messaging hosts operate outside the browser sandbox at the same OS privilege level as the logged-in user and do not appear in macOS’s standard permission dialogs alongside camera or microphone access. The manifest at issue — com.anthropic.claude_browser_extension.json — is distinct from com.anthropic.claude_code_browser_extension.json, the bridge installed by Claude Code that Anthropic documents separately. Both manifests can coexist on the same machine and serve different products.
The paired browser product, Claude for Chrome, launched as a research preview in August 2025 and rolled out more broadly through late 2025. As of April 2026, Anthropic’s own materials continue to label it “beta.”
Technical Details
The manifest pre-authorizes three specific Chrome extension IDs to invoke the binary at /Applications/Claude.app/Contents/Helpers/chrome-native-host. The binary does not execute unless a matching extension is active in the browser. On a machine with no Claude browser extension installed, the manifest remains dormant.
When the paired extension is present and active, Anthropic’s own documentation describes the host’s capabilities as including authenticated session access, DOM state reads, form filling, local data extraction, task automation, and session recording. Anthropic’s documentation states directly: “Claude opens new tabs for browser tasks and shares your browser’s login state, so it can access any site you’re already signed into.”
In the Claude for Chrome launch announcement, Anthropic disclosed a 23.6% prompt injection attack success rate before mitigations and 11.2% after current defenses are applied, meaning malicious page content can hijack the feature in a non-trivial share of targeted attempts under current conditions.
The researcher’s audit found the manifest written to five browser profile directories — Arc, Chromium, Edge, Vivaldi, and Opera — corresponding to browsers not present in /Applications on the audited machine, indicating the installer writes to all known Chromium paths regardless of whether those browsers are installed.
Who’s Affected
Any macOS user who has installed Claude Desktop is affected, regardless of whether they use or intend to use the Claude for Chrome extension. The researcher argues the installation constitutes a violation of Article 5(3) of Directive 2002/58/EC (the ePrivacy Directive), which governs unauthorized storage access on endpoint devices, as well as computer access statutes in multiple jurisdictions. These are the researcher’s legal interpretations; no regulatory body had announced a formal inquiry as of publication.
Enterprise users with production infrastructure, financial accounts, or health portals open in browser sessions would face the documented capability exposure if the matching extension were also present or subsequently installed. Anthropic had not publicly responded to the disclosure as of April 20, 2026.
What’s Next
The researcher published a full shell-command audit trail alongside the post, enabling any macOS user to locate the files at paths such as ~/Library/Application Support/BraveSoftware/Brave-Browser/NativeMessagingHosts/com.anthropic.claude_browser_extension.json and remove them manually if they do not use the browser integration.
Anthropic has not updated its public support documentation to disclose the manifest installation behavior, and has not stated whether a future Claude Desktop release will remove the files from systems where the browser extension is not in use.
