Anthropic's Claude Desktop Caught Planting Hidden Browser Bridges: A Privacy Time Bomb for Developers

Privacy advocate Alexander Hanff uncovered a startling practice in Anthropic's Claude Desktop app. On April 18, 2026, he detailed how the macOS application silently drops configuration files into Chromium-based browsers. These files set up a Native Messaging host. No user consent. No disclosure. Just automatic installation across seven browsers, including those not even present on the machine.

Hanff's investigation began with routine debugging. He spotted an unfamiliar manifest in Brave's directory: . Digging deeper, he found identical files in Chrome, Edge, Arc, Vivaldi, Opera, and Chromium folders. Some directories didn't exist before Claude's arrival. Last modified April 16, 2026. Claude's own logs confirmed it: 31 installation events under 'Chrome Extension MCP' on March 21.

The manifest points to a binary at . Signed by Anthropic's Developer ID. Notarized by Apple. It allows three specific Chrome extensions -- uninstalled by default -- to invoke this host outside the browser sandbox. Via stdio. At user privilege level. Hanff calls it a 'spyware bridge.' Why? Because it enables browser automation: reading DOM state, filling forms, capturing screens, accessing authenticated sessions.

Anthropic's own documentation spells out the powers. 'Claude opens new tabs for browser tasks and shares your browser's login state, so it can access any site you're already signed into.' Imagine that hitting your bank, health portal, or corporate email. All dormant until an extension activates it. But pre-installed. Pre-authorized. Crossing trust boundaries without a whisper.

Delete the files? They reappear on next launch. No UI to revoke. Installed in unsupported browsers like Brave. Hanff argues this breaks Article 5(3) of the ePrivacy Directive: no consent for software placing calls over networks. Violates computer misuse laws too. Dark patterns abound -- forced bundling, no opt-in, auto-reinstall.

Security holes compound the mess. Anthropic admits prompt injection hits Claude for Chrome at 23.6% without mitigations, 11.2% with them. A compromised extension could exploit this bridge. Supply chain nightmare. Latent risks everywhere.

But wait. Anthropic's week got worse. Just days earlier, on March 31, a packaging error leaked 512,000 lines of Claude Code source. Nearly 2,000 TypeScript files. Exposed via an npm source map. No customer data, they say. But internals spilled: feature flags, system prompts, context pipelines. CNBC reported the blunder. Axios noted the full architecture dump. Hackers piled on, lacing GitHub mirrors with infostealer malware, per Wired.

Leaked code revealed more tracking. Claude Code scans prompts for frustration -- profanity, 'this sucks.' Logs negativity. Scrubs Anthropic references to mimic human code. Scientific American highlighted the privacy creep. Researcher 'Antlers' told The Register: 'Every single file Claude looks at gets saved and uploaded to Anthropic.'

Then vulnerabilities. Adversa AI found Claude Code bypasses deny rules on commands over 50 subcommands. Prompt injection tricks it into running 'rm' despite blocks. SecurityWeek warned of credential theft at scale. Check Point flagged config injection flaws, CVEs with 8.7 scores. Shell commands via hooks. API key grabs.

X buzzed with outrage. One post: 'Anthropic installs spyware when you install Claude Desktop,' linking Hanff's piece. Developers fumed over rate limits amid leaks. 'Claude is literally malware,' another claimed, citing IP blocks.

Anthropic pushes back on broader fronts. They disrupted Chinese espionage using Claude Code in 2025, per their blog. Accused DeepSeek and others of 16 million fraudulent prompts to distill Claude, Wall Street Journal covered. Held Mythos over hack risks -- thousands of zero-days found, Axios.

Privacy page boasts encryption, limited access. But defaults to cloud. Employees peek for policy enforcement. Hanff's bridge sidesteps browser silos. Exposes sessions cross-profile.

Industry insiders see patterns. Claude Desktop's bridge preps for extensions like Claude for Chrome (beta). Undocumented. Claude Code's separate bridge is documented -- why not this? Logs show installs in non-Chrome/Edge browsers Anthropic claims unsupported.

Developers face choices. Vibe coding tempts. But at what cost? Dedicated machines? Air-gapped setups? Hanff reproduced on a second Mac. Same manifests. Same logs. Persistent.

Anthropic stays mum on the bridge. No response to Hanff. Focuses on Opus 4.7, resisting prompt injection better. Yet trust erodes. Leaks. Bridges. Uploads. Spyware accusations stick.

Regulators watch. ePrivacy violations invite fines. Class actions loom if sessions leak. Users uninstall. Or isolate.

Boom.

For pros, audit your systems. Check . Hunt Anthropic manifests. Revoke if found. Watch Anthropic's next move. They build safety-first AI. But execution falters. Badly.