SECURITY researcher Alexander Hanff claims Claude Desktop on macOS drops a Native Messaging host manifest into multiple Chromium profiles, effectively allowing a browser extension to interact with a local executable outside the browser sandbox, which he describes as a backdoor.
He found that the manifest pre-authorises three Chrome extension IDs, enabling those extensions to call the host and access browser automation features, while noting that the manifest will be recreated if Claude Desktop is relaunched, potentially making deletion futile. The article clarifies Claude Desktop is the Electron-based macOS application with bundle identifier com.anthropic[.]claudefordesktop, distributed as Claude[.]app, and it is not about Claude Code, Anthropic’s command line tool.
It also explains that Claude Desktop can write into browsers’ profile directories and perform user-like actions such as using the logged‑in browser session, DOM inspection, data extraction, form filling and session recording, thereby expanding the machine’s attack surface.
According to Anthropic’s own launch blog on “Claude for Chrome,” the piece cites prompt-injection risks and attack-success rates as context for the broader risk discussion, though Malwarebytes notes it does not have an official response from Anthropic yet.