Anthropic’s Claude desktop app left hidden browser files on Macs and the privacy backlash was swift - Startup Fortune

Detailed Analysis

Anthropic's Claude desktop application for macOS came under significant scrutiny in April 2026 after privacy consultant Alexander Hanff discovered that the app silently installs a Native Messaging manifest file — `com.anthropic.claude_browser_extension.json` — without user consent or disclosure. This file pre-authorizes Anthropic's browser extensions, including Claude for Chrome, to communicate with a local binary bridge that operates outside the browser's security sandbox at user privilege level, even for browsers not currently installed on the user's system. The practical implication is substantial: such a configuration could enable capabilities including reading web page contents, filling forms, capturing screen data, and accessing authenticated browser sessions — all without triggering standard browser permission prompts. Hanff characterized the behavior as "spyware," citing the file's forced installation across trust boundaries, its invisibility to users, the difficulty of removing it, and its potentially misleading naming convention.

Compounding the browser extension controversy, a separate but simultaneous issue emerged on Apple community forums, where users reported that Claude's desktop app was quietly generating a hidden `~/.claude/debug` folder that could accumulate staggering amounts of log data — in at least one documented case, ballooning to 472 gigabytes — causing significant disk space depletion and system sluggishness. The workaround requires users to manually delete the folder via terminal command, a process that can take roughly 20 minutes, and to disable the behavior by modifying shell configuration files. Neither issue was proactively disclosed by Anthropic, and as of the time of reporting, the company had not issued a public response. A related GitHub bug report concerning Native Messaging conflicts also remained unresolved.

The security implications extend beyond mere privacy optics. Anthropic's own safety documentation reportedly acknowledges that Claude for Chrome is vulnerable to prompt injection attacks at a 23.6% success rate without mitigations and 11.2% with them in place. When combined with the unsandboxed binary bridge installed by the desktop app, a successful prompt injection attack could theoretically be escalated to a much more consequential system-level intrusion — a risk architecture that security researchers found particularly alarming given that the bridge operates at user privilege level outside normal browser containment. Hanff suggested the configuration could also violate European Union privacy regulations, and discussions of formal regulatory complaints were underway in affected communities.

The episode places Anthropic in a notably uncomfortable position for a company that has distinguished itself through public commitments to AI safety, transparency, and responsible development. The installation of undisclosed system-level files — particularly those that extend capabilities to browsers not even present on a given machine — runs directly counter to the principle of informed user consent that underpins both privacy law and ethical software design. The debug folder issue further suggests that internal telemetry and logging practices were not adequately reviewed for production deployment, a significant operational gap for a frontier AI developer whose products are increasingly embedded in sensitive personal and professional workflows.

Viewed against the broader landscape of AI assistant adoption, this controversy reflects a recurring tension in the industry: the competitive pressure to rapidly ship deeply integrated, capability-rich applications frequently outpaces the security and privacy review processes necessary to deploy them responsibly. Similar patterns have emerged across AI tooling from multiple vendors, particularly as companies race to build browser-integrated and agentic features. For Anthropic specifically, whose brand identity is closely tied to safety-first development, the reputational stakes of such incidents are unusually high. Regulatory bodies in the EU and elsewhere have been increasingly attentive to the data practices of AI companies, and a failure to respond promptly and transparently risks inviting formal scrutiny at a moment when the regulatory environment for AI applications is rapidly hardening.