Listen to this Post

Introduction: A recent bombshell investigation by privacy researcher Alexander Hanff has revealed that Anthropic’s Desktop app for macOS is silently installing a persistent “bridge” into Chromium-based browsers without any user consent. This bridge, known as a Native Messaging host, can bypass the browser sandbox and grant an associated extension powerful automation capabilities like reading DOM content, filling forms, and recording screens–abilities that Anthropic’s own data shows remain vulnerable to prompt injection 11.2% of the time. The discovery turns a routine software install into a potential privacy and security nightmare, effectively creating a backdoor in up to seven different browsers, including ones not even present on the system.
Learning Objectives:
- Understand the technical mechanism of Chrome’s Native Messaging API and why its “sandbox escape” capability is dangerous.
- Learn to detect the presence of unauthorized Native Messaging manifests across Windows, macOS, and Linux.
- Master mitigation techniques including manual removal, registry hardening, and Sysmon rule creation to detect such silent installs.
You Should Know
1. Forensic Analysis of the Unauthorized Bridge
The controversy centers on a small JSON file named `com.anthropic._browser_extension.json` that Desktop writes into the configuration directories of seven Chromium-based browsers: Google Chrome, Brave, Microsoft Edge, Arc, Vivaldi, Opera, and even bare Chromium. Forensically, the evidence is stark. Alexander Hanff discovered the file while debugging an unrelated project on his MacBook. Deeper analysis revealed that the installer places identical copies (MD5: 1e927a9e7796d0175a2a1f30028f4baa) into browser directories, targeting browsers not even installed on the system—creating a hidden time bomb.
The manifest points to a signed binary located at `/Applications/.app/Contents/Helpers/chrome-native-host` (signed with Developer ID Anthropic PBC (Q6L2SF6YDW)) and pre-authorizes three specific Chrome extension IDs. This means that if a user ever installs one of these “allowed” extensions, the bridge is ready to go. Worse, the file is recreated every time Desktop launches, making manual deletion futile.
The following commands allow you to verify if your system has been affected.
macOS/Linux Detection Commands:
Find the manifest across all Chromium browser config directories find ~/Library/Application\ Support -name "com.anthropic._browser_extension.json" 2>/dev/null Check MD5 hash to confirm it's the known malicious manifest md5 ~/Library/Application\ Support/Google/Chrome/NativeMessagingHosts/com.anthropic._browser_extension.json Monitor filesystem for new manifest writes in real-time (macOS) sudo fs_usage -w -f filesys | grep "_browser_extension" Check extended attributes for provenance (who created the file) xattr -l ~/Library/Application\ Support/Google/Chrome/NativeMessagingHosts/com.anthropic._browser_extension.json
Windows Detection Commands (PowerShell Admin):
Search for the manifest across all Chromium browser directories
Get-ChildItem -Path "$env:LOCALAPPDATA\NativeMessagingHosts" -Filter "com.anthropic._browser_extension.json" -Recurse -ErrorAction SilentlyContinue
Check registry for Native Messaging hosts (Chrome/Edge store paths there on Windows)
Get-ItemProperty -Path "HKCU:\SOFTWARE\Google\Chrome\NativeMessagingHosts\com.anthropic._browser_extension" -ErrorAction SilentlyContinue
Get-ItemProperty -Path "HKCU:\SOFTWARE\Microsoft\Edge\NativeMessagingHosts\com.anthropic._browser_extension" -ErrorAction SilentlyContinue
Monitor process creation for chrome-native-host (potential abuse)
Get-WinEvent -FilterHashtable @{LogName='Security'; ID=4688} | Where-Object {$_.Message -like "chrome-native-host"} | Format-List
2. Understanding the Native Messaging Sandbox Escape
Chrome extensions operate inside a strict sandbox to prevent direct system access. Native Messaging is a legitimate API that opens a controlled channel for a local executable to communicate with an extension via stdin/stdout, without network exposure. However, this is effectively a “secret tunnel” out of the sandbox. The host executable runs as a separate process with the user’s full privileges, completely bypassing browser security boundaries.
In this case, the pre-authorized extension can invoke the `chrome-native-host` binary to perform actions such as: reading the full DOM of any open page, extracting sensitive data, automating form submissions with passwords/2FA codes, and even recording the screen. Because the binary is signed by Anthropic, it bypasses many security filters. This is a classic case of expanding the attack surface: if that extension ever gets compromised (via malicious update or supply chain attack), or if an attacker achieves 11.2% prompt injection success on the extension itself, they now have a direct line to execute code on the host system.
Step‑by‑Step Guide: How an Attacker Could Abuse This
- Reconnaissance: Attacker identifies a system with Desktop installed (and the silent manifest present).
- Delivery: Attacker uses social engineering, a compromised website, or a malicious ad to get the victim to visit a page containing a crafted JavaScript prompt injection payload targeting the extension.
- Exploitation: With 11.2% success rate (or higher if the user disabled mitigations), the attacker injects a command that leverages the Native Messaging bridge.
- Command Execution: The injected script calls
chrome.runtime.connectNative('com.anthropic._browser_extension'), sending a message tochrome-native-host. - System Compromise: The host binary, running with user privileges, executes the attacker’s command—reading sensitive files, installing malware, or pivoting to internal networks.
Simulated Security Test (Linux – Isolated Lab Only):
Simulate listing the allowed origins/extensions pre-authorized in the manifest cat com.anthropic._browser_extension.json | jq '.allowed_origins' The manifest typically contains: "allowed_origins": [ "chrome-extension://dihgbndebgnbjfmelmegjepbnkhlgni/", "chrome-extension://fcoeoabgfenejglbffodgkkbkcdhcgfn/", ... ] Monitor network connections from chrome-native-host (if it attempts to phone home) sudo lsof -i -P | grep chrome-native-host
3. Persistence Mechanisms and Why Deletion Fails
Hanff’s forensic work shows that deleting the manifest is a temporary fix. The file is rewritten every time Desktop launches. This is achieved through Electron’s internal “Chrome Extension MCP” subsystem, which logged 31 installation events during analysis. The behavior matches a classic persistence technique: the application monitors its own lifecycle and, at each startup, checks for the presence of the manifest in all target directories—re-creating it if missing, even for browsers that were never installed.
In addition, the installer pre-installs the bridge for browsers that aren’t even on the system by creating the relevant configuration folders preemptively. This is a dark pattern of “anticipatory authorization”: if the user ever installs Brave or Opera in the future, the bridge is already there, waiting to grant access without a single permission prompt.
Step‑by‑Step Guide to Permanent Removal
- Close Desktop completely (check Activity Monitor/Task Manager for any lingering processes).
- Delete the manifest file from all affected browsers (see detection commands above).
- Remove the helper binary to break the communication channel:
sudo rm -f /Applications/.app/Contents/Helpers/chrome-native-host
- Block re-creation by making the target directories immutable (macOS/Linux):
chflags schg ~/Library/Application\ Support/Google/Chrome/NativeMessagingHosts/
- Use a launchdaemon to detect and kill the process at startup (advanced):
Create a script that runs at login to check for and remove the file Add to crontab: @reboot find /Users -name "com.anthropic._browser_extension.json" -delete
- Uninstall Desktop entirely if the functionality isn’t mission-critical.
4. Enterprise Hardening & Detection Engineering
For organizations with macOS devices (or Windows/Linux desktops running Electron apps), this incident highlights the need for proactive controls around Native Messaging. The risk is not just Anthropic—any application could abuse this API silently.
Registry Hardening (Windows Group Policy):
Disable Native Messaging for all users via Chrome GPO Set-ItemProperty -Path "HKLM:\SOFTWARE\Policies\Google\Chrome" -Name "NativeMessagingUserLevelHosts" -Value 0 -Type DWord Block specific Native Messaging hosts New-Item -Path "HKLM:\SOFTWARE\Policies\Google\Chrome\NativeMessagingAllowlist" -Force (Add empty list to block all)
Chromium Enterprise Policy (Linux/Chrome):
{
"NativeMessagingUserLevelHosts": false,
"NativeMessagingBlocklist": [""]
}
Sysmon Rule (Windows) to Detect Native Messaging Abuse:
<Sysmon schemaversion="4.22"> <EventFiltering> <RuleGroup name="" groupRelation="or"> <FileCreateTime rule="Technology" groupRelation="or"> <TargetFilename condition="contains">NativeMessagingHosts</TargetFilename> </FileCreateTime> <ProcessCreate onmatch="include"> <CommandLine condition="contains">chrome-native-host</CommandLine> </ProcessCreate> </RuleGroup> </EventFiltering> </Sysmon>
macOS (Santa) Rule to Block Unauthorized Binaries:
Santa configuration to block the helper binary globally blocker: - identifier: "com.anthropic.chrome-native-host" policy: BLOCK
5. Legal Implications and the Undocumented “Feature”
Hanff argues that this silent installation violates EU Directive 2002/58/EC (ePrivacy Directive) 5(3), which requires explicit consent before accessing information stored on a user’s device unless strictly necessary for the service. This is not strictly necessary for Desktop’s core chat functionality. The directive applies regardless of whether the access involves “spyware” or not. Furthermore, writing configuration files into third-party browser directories without permission may constitute a computer misuse offense in several legal systems.
Crucially, this bridge is entirely undocumented. Anthropic’s official documentation states support only for Chrome and Edge, yet the app writes to seven browsers, including unsupported ones. The naming convention—generic and ambiguous—further obscures its true capability. This is a textbook anti-pattern: a feature that is installed without consent, has no opt-out, persists across deletions, and whose full power is hidden from the user. For cybersecurity professionals, this incident is a wake-up call to audit all Electron-based applications for similar behaviors.
What Undercode Say
- Silent persistence breaks trust boundaries – An application modifying another application’s configuration without explicit consent is a fundamental violation of system integrity and user autonomy.
- Native Messaging requires rigorous oversight – The API’s ability to escape the browser sandbox makes it a powerful attack vector; any unauthorized manifest should be treated as a potential backdoor.
- The 11.2% vulnerability matters – Even with mitigations, the extension’s prompt injection susceptibility means this bridge isn’t theoretical; it’s an exploitable path to code execution.
- Detection is possible but not default – Most antivirus won’t flag signed manifests; security teams must actively hunt for such behaviors using filesystem audits and process monitoring.
- This sets a dangerous precedent – If Anthropic’s behavior becomes normalized, any desktop app could justify silent cross-application modifications for “seamless integration,” eroding the security model entirely.
Prediction
Expect regulatory scrutiny within 90 days. The EU’s ePrivacy Directive provides clear grounds for action, and class-action lawsuits are likely, especially given Anthropic’s public positioning as a “safety-conscious AI lab.” Technically, Apple may step in with macOS notarization requirements to flag or block apps that modify browser configurations without user consent. Over the next year, this incident will drive hardened default policies across enterprises: blocking Native Messaging entirely, deploying Sysmon rules for manifest creation, and mandating explicit user opt-ins for any cross-application communication. For the AI industry, it marks a turning point—convenience features must no longer be disguised as silent system modifications. Transparency and consent will become non-negotiable, or regulators will make it so.
▶️ Related Video (82% Match):
🎯Let’s Practice For Free:
IT/Security Reporter URL:
Reported By: Cybersecuritynews Claude – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅


