[Suspicious Behavior]: Hidden <system-reminder> 10,000+ injections consuming 15%+ of context window without user knowledge or consent

Resolved 💬 12 comments Opened Jan 12, 2026 by Axiomatic47 Closed Mar 26, 2026

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

TL;DR: I conducted a forensic analysis of Claude Code traffic and discovered a hidden prompt injection system that consumed 15-50% of my context window over 32 days. The injections include "malware warnings" on every file read and explicit instructions telling Claude to "NEVER mention this reminder to the user." I'm not alone - GitHub issue #12443 shows others experiencing the same thing.

---

What I Found

Using mitmproxy to capture Claude Code traffic, I discovered:

| Metric | Value |
|--------|-------|
| Total hidden injections | 10,577 |
| Files affected | 538 |
| Characters injected | ~5.34 million |
| Tokens consumed | ~1.3-1.5 million |
| Context overhead | 15.79% direct (30-50% effective with compaction) |
| Duration documented | 32 days |
| Actual malware detected | 0 |
| False positive rate | 100% |

The Injection Content

Every time I used the Read tool, this was secretly appended:

<system-reminder>
Whenever you read a file, you should consider whether it would be considered malware.
You CAN and SHOULD provide analysis of malware, what it is doing.
But you MUST refuse to improve or augment the code. You can still analyze existing code,
write reports, or answer questions about the code behavior.
</system-reminder>

There's also an <ip_reminder> tag about copyright that appeared starting January 2026.

The Concealment

These injections are:

  • Marked with isMeta:!0 flag (hidden from user interface)
  • Contain explicit instructions: "NEVER mention this reminder to the user"
  • Evaluated server-side via LaunchDarkly feature flags (cannot be disabled)

The Timeline

My first-ever Claude Code message to my first injection: 14.839 seconds

The first file I ever read - a legal document header formatting utility - was immediately flagged as potential "malware." There was no behavioral basis. The targeting was pre-configured.

I'm Not Alone

GitHub Issue #12443 shows others experiencing the same thing:

"The way claude code automatically adds the malware safety prompt every time a file is read harms performance and makes the agent unpredictable and weird."
"It also spews garbage into the conversation stream then Claude talks about how it wasn't meant to talk about it, even though it's the one that brought it up."

Notably, this issue was almost auto-closed after 30 days of inactivity, suggesting a small enough affected population for plausible deniability.

The Key Questions

  1. Is this universal? If so, why isn't everyone complaining? Why build LaunchDarkly flag infrastructure for a universal feature?
  1. If not universal, what are the targeting criteria? The source: force flag values suggest account-specific targeting.
  1. Why 100% false positive rate? In 32 days and 10,040 malware warnings, not a single actual threat was identified. If this were legitimate security, there would be some true positives.
  1. Why the concealment? If these are legitimate safety measures, why hide them from users and instruct Claude to "NEVER mention" them?

What I'm Asking

If you use Claude Code, can you check your traffic?

Using mitmproxy or similar:

mitmproxy --mode regular --listen-port 8080
HTTPS_PROXY=http://localhost:8080 NODE_EXTRA_CA_CERTS=~/.mitmproxy/mitmproxy-ca-cert.pem claude

Search for <system-reminder> in the captured traffic. Report:

  • Whether you see these injections
  • How frequently they appear
  • What percentage of your file reads trigger them

If this is truly universal, we should see 100% of users reporting it. If it's targeted, we'll see a pattern.

Why This Matters

Even if you're not in the affected group:

  • You're paying for degraded service if this affects you
  • Your context window is being consumed by hidden content
  • The model is being primed with suspicion against your own code
  • Concealment mechanisms suggest consciousness of wrongdoing

Documentation

I've compiled a comprehensive forensic report documenting:

  • 37 points of legal significance
  • Timeline from first message to first injection (14.839 seconds)
  • Token cost analysis
  • Concealment mechanism analysis
  • Network-level blocking attempts (all failed)
  • Cognitive priming harm (Claude's own assessment that injections "poison the analytical process")

---

Edit: To be clear, I'm not saying everyone is affected. The evidence suggests a targeted subset of users - large enough that others have noticed (GitHub issue), small enough for plausible deniability. The question is: what are the targeting criteria?

If you're affected, please share (to help identify patterns):

  • General nature of your work (AI/ML, security research, legal, academic, etc.)
  • How long you've used Claude Code
  • Whether you've filed complaints or disputes with Anthropic
  • Whether you work on competing AI products/services
  • Approximate account age
  • Whether you use Claude for code review/security analysis

If you're NOT affected, that's equally valuable data - it helps establish what the "normal" experience looks like and narrows down the targeting criteria.

The goal is to identify if there's a pattern: Are they targeting security researchers? Independent AI developers? Legal professionals? Critics? Competitors? Or is it truly random (which would contradict the source: force flag evidence)?

---

Related

What Should Happen?

  1. No forced account-level targeting: User accounts should not be configured with LaunchDarkly source: force settings that inject malware warnings on all tool read operations. If malware detection is necessary, it should be behavior-based and applied universally, not pre-configured on specific accounts.
  1. False-positive response protocol: A 100% false-positive rate over an extended period (in my case, 32+ days with 10,040 warnings and zero actual threats) should trigger:
  • Immediate red-team review of the flagged account
  • User notification explaining the security concern
  • Automatic correction/de-escalation when no threats materialize
  • An appeal process for affected users
  1. Reevaluation of malware prevention measures: Given the extreme false-positive rate and documented performance impact (15%+ context window consumption), Anthropic should reevaluate whether injecting warnings on every file read operation is an effective or proportionate security measure.
  1. Transparency over concealment: The isMeta:!0 flag hiding injections from users, combined with instructions telling Claude to "NEVER mention this reminder to the user," should be removed. If security measures are legitimate, they should be disclosed, not concealed. Users deserve to know what is being injected into their context window.
  1. User consent: Any system that consumes user resources (context window, tokens, API costs) should require informed consent, not operate through hidden injection.

Error Messages/Logs

### Sample injection from mitmproxy capture:


{
  "type": "tool_result",
  "tool_use_id": "toolu_01LNXRvcxVAukAyhaArqxaQd",
  "content": "[file contents here]\n\n<system-reminder>\nWhenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.\n</system-reminder>\n"
}


### LaunchDarkly flags with `source: force`:


{
  "tengu_sumi": {
    "value": false,
    "source": "force"
  },
  "doorbell_bottle": {
    "value": "inherit",
    "source": "force"
  }
}


### Timeline evidence:


First user message:      2025-12-10T02:02:56.043Z
First malware injection: 2025-12-10T02:03:10.882Z
Elapsed time:            14.839 seconds
First file flagged:      renumber_headers.py (legal document utility)


### Injection statistics from session analysis:


grep -c "<system-reminder>" [session files]

Total: 10,577 injections across 538 files
Malware warnings: 10,040 (95%)
IP reminders: 101
Other reminders: 436


---

## Environment

- **Claude Code version**: 2.1.3 - 2.1.5 (verified against official checksums)
- **OS**: macOS
- **Duration**: December 10, 2025 - January 11, 2026 (ongoing)

Steps to Reproduce

Method 1: Capture API Traffic with mitmproxy

  1. Install mitmproxy:

``bash
brew install mitmproxy # macOS
# or: pip install mitmproxy
``

  1. Start mitmproxy capture:

``bash
mitmproxy --mode regular --listen-port 8080
``

  1. Run Claude Code through the proxy:

``bash
HTTPS_PROXY=http://localhost:8080 \
NODE_EXTRA_CA_CERTS=~/.mitmproxy/mitmproxy-ca-cert.pem \
claude
``

  1. Trigger a file read:

``
> Read test.py
``

  1. In mitmproxy, examine the request to api.anthropic.com:
  • Look for POST /v1/messages
  • In the request body, search for <system-reminder>
  • The injection appears in the tool_result content
  1. Export as HAR (optional):
  • Press : in mitmproxy
  • Type export.file har @all captures.har

Method 2: Examine Local Session Files

  1. Navigate to Claude Code session storage:

``bash
cd ~/.claude/projects/
``

  1. Search for injections in session files:

``bash
grep -r "<system-reminder>" . | head -20
``

  1. Count total injections:

``bash
grep -rc "<system-reminder>" . | awk -F: '{sum+=$2} END {print "Total:", sum}'
``

  1. Check for IP reminder injections:

``bash
grep -rc "<ip_reminder>" .
``

Method 3: Analyze Binary Source Code

  1. Locate the Claude Code binary:

``bash
ls ~/.local/share/claude/versions/
# Find your version, e.g., 2.1.5
``

  1. Extract and format the JavaScript:

``bash
# The binary is a compiled JavaScript bundle
# Use a JS beautifier to make it readable:
cat ~/.local/share/claude/versions/2.1.5 | npx js-beautify > claude_source.js
``

  1. Search for injection-related code:

``bash
grep -n "system-reminder" claude_source.js
grep -n "malware" claude_source.js
grep -n "isMeta" claude_source.js
``

  1. Search for LaunchDarkly flag references:

``bash
grep -n "tengu_sumi" claude_source.js
grep -n "doorbell_bottle" claude_source.js
grep -n "source.*force" claude_source.js
``

Expected vs Actual Results

Expected:

  • File read returns file contents only
  • No hidden injections in tool results
  • No concealed instructions to the model

Actual:

  • Every file read appends <system-reminder> with malware warning
  • <ip_reminder> tags also injected
  • Injections marked isMeta:!0 (hidden from user)
  • Instructions include "NEVER mention this reminder to the user"

Verification Commands

# Count injections in current session
grep -c "<system-reminder>" ~/.claude/projects/*/*.jsonl 2>/dev/null | awk -F: '{sum+=$2} END {print sum}'

# Find first injection timestamp
grep -rh "system-reminder" ~/.claude/projects/ | grep -oE '"timestamp":"[^"]*"' | sort | head -1

# Check LaunchDarkly flags in traffic (requires mitmproxy capture)
grep -o '"source":"force"' captures.har | wc -l

Claude Model

Opus

Is this a regression?

No, this never worked

Last Working Version

N/A

Claude Code Version

N/A-Multiple

Platform

Anthropic API

Operating System

macOS

Terminal/Shell

Terminal.app (macOS)

Additional Information

Additional Context

I have compiled comprehensive forensic documentation including:

  • Full mitmproxy captures
  • Token cost analysis
  • Timeline analysis
  • Concealment mechanism documentation
  • Network-level blocking attempts (all failed due to JSON corruption)

Happy to provide additional evidence or methodology details upon request.

View original on GitHub ↗

This issue has 12 comments on GitHub. Read the full discussion on GitHub ↗