Browser File System Access API lure — email walks you through granting a web page persistent read/write access to your Desktop / Documents / Downloads (2026 File-System-Access abuse)

Email walks the recipient through granting a malicious web page persistent read/write access to a local folder via the Browser File System Access API (showDirectoryPicker, showOpenFilePicker, showSaveFilePicker). Chrome, Edge, and Opera ship this API by default in 2024+, gated only by a single browser consent prompt. Attackers phrase the lure as a "sync setup", "file transfer", or "bundle pickup" and walk the user through steps 1, 2, 3: click the link, click Allow, pick your Desktop / Documents / Downloads. Once granted, the attacker page holds the FileSystemHandle for that folder and can silently read and overwrite every file in it — SSH keys, browser cookies, shell rc files, sensitive docs. Fires when the body contains picker-prompt language (click Allow, grant folder access, select your folder, showDirectoryPicker) AND a local folder name (Desktop, Documents, Downloads, Pictures, Videos, home, root). Excludes known cloud-storage vendors (Google Drive, Dropbox, OneDrive, iCloud, Box, Backblaze, Sync.com, Tresorit, Nextcloud, Owncloud) who legitimately use this API for sync setup, and newsletters / replies where the pattern is discussion rather than instruction.