Claude Code Session Leakage Report and Analysis
Claude Code Session Leakage Report and Analysis
Anthropic Investigating Potential Session Leakage in Claude Code
A user report suggests that Claude Code may be experiencing session or cache leakage between workspace instances or consumer accounts. While the Claude Code team has expressed confidence that the behavior is a hallucination, the incident has sparked a broader discussion regarding the security of intermediate AI infrastructure.
Official Response from Anthropic
Thariq from the Claude Code team has stated that the company is treating the report seriously and investigating the matter, though they currently believe the issue is a hallucination.
"We’re confident this is a hallucination but of course take these reports seriously and the team is looking into it. We’ll report back if anything turns up."
Analysis of the "Minecraft" Incident
Central to the report is an instance where the model referenced "minecraft.py," which the user perceived as a leak from another session. However, technical analysis suggests a more plausible explanation involving local environment files:
- Pygments Package: A tool call result included a pathname containing
minecraft.pybecause the Pygments package (a syntax highlighter) contains a lexer calledminecraft.py. - Context Window Effects: Some observers note that very large session contexts (e.g., 800K+ tokens) can increase the likelihood of hallucinations, making the model more likely to generate plausible but incorrect references.
Perspectives on Infrastructure-Level Data Swapping
While the official stance leans toward hallucination, some users argue that "swapped responses" are a known failure mode in large-scale AI infrastructure. One contributor shared experiences with other major LLM providers where API gateways incorrectly handled HTTP status codes, leading to an "off-by-one" error where users received the response intended for the previous caller.
"I’m aware of at least two instances in which the intermediate infrastructure ’swapped’ responses... it’s not that data is being retained, it’s just not being safely isolated in intermediate infrastructure."
Related Reports Across Other LLMs
The discussion highlights that similar "eerie" experiences are not isolated to Claude Code:
- Gemini: Users report receiving answers that appear to belong to other people, such as math tutoring responses appearing during unrelated research prompts.
- Web-based Claude: Users have reported the model insisting on message prefixes or instructions that the user never provided, with the model admitting the instructions "came from somewhere else."
- OpenRouter: Users have reported receiving URLs that appear to have been provided by other users to model providers.