Researcher claims Claude Desktop installs “spyware” on macOS - Malwarebytes

Detailed Analysis

A researcher's claim that Anthropic's Claude Desktop installs "spyware" on macOS has ignited a debate about the boundaries between legitimate software functionality and privacy-invasive behavior. The core of the allegation centers on Claude Desktop's practice of automatically writing native messaging host files into macOS system directories — specifically paths used by Chrome and Chromium browsers — beginning in February 2026, and doing so without surfacing explicit user prompts or permission dialogs. These files serve as communication bridges between the Claude Desktop application and browser extensions, enabling features like Claude's Chrome integration to function. While the behavior is technically purposeful rather than malicious, the absence of transparent user consent is what drew the "spyware" label from the researcher and subsequent community concern.

The technical reality is considerably more nuanced than the headline suggests. Native messaging hosts are a standard mechanism in macOS and browser ecosystems, used by many legitimate applications to enable cross-process communication. The controversy is not that the files exist, but that Claude Desktop installs them silently, modifying directories associated with other applications without a visible authorization step. This pattern — functional software operating outside a user's informed awareness — sits in a gray zone that security researchers have long flagged as a consent and transparency problem rather than an outright malicious act. Anthropic has not characterized the behavior as data exfiltration, and no evidence in the available research suggests that the native messaging hosts are transmitting user data to external servers improperly.

Compounding the confusion is a separate and genuinely dangerous threat landscape running parallel to the Claude Desktop story. Attackers have constructed fraudulent Claude Code installation pages distributed through malicious Google advertisements targeting both Windows and macOS users. These fake installers deploy actual infostealers — including a strain identified as Amatera — that use obfuscated terminal commands to harvest passwords, browser cookies, session tokens, and other sensitive credentials. The convergence of these two distinct narratives — one involving legitimate software with opaque behavior, the other involving outright criminal impersonation — has muddied public perception and made it harder to assess where Anthropic's responsibility ends and threat actor activity begins.

A third, independent security concern adds further weight to scrutiny of the Claude Desktop ecosystem. Researchers have demonstrated that Claude Desktop Extensions, unlike browser extensions operating in sandboxed environments, run with full, unsandboxed system privileges on macOS. This architectural decision has been shown to create a viable attack surface for prompt injection attacks capable of leading to remote code execution — a significantly more severe vulnerability than the native messaging host controversy alone. A proof-of-concept involving a maliciously crafted Google Calendar event was used to illustrate how an attacker could hijack Claude Desktop's extension layer to execute arbitrary commands on a victim's machine.

Taken together, these developments illustrate the growing security surface area that accompanies AI desktop agents as they expand beyond browser sandboxes into native operating system environments. The "spyware" framing may overstate the case against Anthropic's intentions, but the underlying concerns about silent system modification, unsandboxed execution privileges, and the absence of granular user consent controls are legitimate and reflect a broader industry tension. As AI assistants acquire deeper system integrations — reading files, communicating with browsers, executing code — the security and privacy standards historically applied to conventional software must evolve accordingly. Anthropic, like other AI developers racing to ship capable agentic desktop products, faces pressure to make transparency and least-privilege design principles a foundational priority rather than a post-launch remediation.