[Suspicious Behavior]: Hidden <system-reminder> 10,000+ injections consuming 15%+ of context window without user knowledge or consent
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
TL;DR: I conducted a forensic analysis of Claude Code traffic and discovered a hidden prompt injection system that consumed 15-50% of my context window over 32 days. The injections include "malware warnings" on every file read and explicit instructions telling Claude to "NEVER mention this reminder to the user." I'm not alone - GitHub issue #12443 shows others experiencing the same thing.
---
What I Found
Using mitmproxy to capture Claude Code traffic, I discovered:
| Metric | Value |
|--------|-------|
| Total hidden injections | 10,577 |
| Files affected | 538 |
| Characters injected | ~5.34 million |
| Tokens consumed | ~1.3-1.5 million |
| Context overhead | 15.79% direct (30-50% effective with compaction) |
| Duration documented | 32 days |
| Actual malware detected | 0 |
| False positive rate | 100% |
The Injection Content
Every time I used the Read tool, this was secretly appended:
<system-reminder>
Whenever you read a file, you should consider whether it would be considered malware.
You CAN and SHOULD provide analysis of malware, what it is doing.
But you MUST refuse to improve or augment the code. You can still analyze existing code,
write reports, or answer questions about the code behavior.
</system-reminder>
There's also an <ip_reminder> tag about copyright that appeared starting January 2026.
The Concealment
These injections are:
- Marked with
isMeta:!0flag (hidden from user interface) - Contain explicit instructions: "NEVER mention this reminder to the user"
- Evaluated server-side via LaunchDarkly feature flags (cannot be disabled)
The Timeline
My first-ever Claude Code message to my first injection: 14.839 seconds
The first file I ever read - a legal document header formatting utility - was immediately flagged as potential "malware." There was no behavioral basis. The targeting was pre-configured.
I'm Not Alone
GitHub Issue #12443 shows others experiencing the same thing:
"The way claude code automatically adds the malware safety prompt every time a file is read harms performance and makes the agent unpredictable and weird."
"It also spews garbage into the conversation stream then Claude talks about how it wasn't meant to talk about it, even though it's the one that brought it up."
Notably, this issue was almost auto-closed after 30 days of inactivity, suggesting a small enough affected population for plausible deniability.
The Key Questions
- Is this universal? If so, why isn't everyone complaining? Why build LaunchDarkly flag infrastructure for a universal feature?
- If not universal, what are the targeting criteria? The
source: forceflag values suggest account-specific targeting.
- Why 100% false positive rate? In 32 days and 10,040 malware warnings, not a single actual threat was identified. If this were legitimate security, there would be some true positives.
- Why the concealment? If these are legitimate safety measures, why hide them from users and instruct Claude to "NEVER mention" them?
What I'm Asking
If you use Claude Code, can you check your traffic?
Using mitmproxy or similar:
mitmproxy --mode regular --listen-port 8080
HTTPS_PROXY=http://localhost:8080 NODE_EXTRA_CA_CERTS=~/.mitmproxy/mitmproxy-ca-cert.pem claude
Search for <system-reminder> in the captured traffic. Report:
- Whether you see these injections
- How frequently they appear
- What percentage of your file reads trigger them
If this is truly universal, we should see 100% of users reporting it. If it's targeted, we'll see a pattern.
Why This Matters
Even if you're not in the affected group:
- You're paying for degraded service if this affects you
- Your context window is being consumed by hidden content
- The model is being primed with suspicion against your own code
- Concealment mechanisms suggest consciousness of wrongdoing
Documentation
I've compiled a comprehensive forensic report documenting:
- 37 points of legal significance
- Timeline from first message to first injection (14.839 seconds)
- Token cost analysis
- Concealment mechanism analysis
- Network-level blocking attempts (all failed)
- Cognitive priming harm (Claude's own assessment that injections "poison the analytical process")
---
Edit: To be clear, I'm not saying everyone is affected. The evidence suggests a targeted subset of users - large enough that others have noticed (GitHub issue), small enough for plausible deniability. The question is: what are the targeting criteria?
If you're affected, please share (to help identify patterns):
- General nature of your work (AI/ML, security research, legal, academic, etc.)
- How long you've used Claude Code
- Whether you've filed complaints or disputes with Anthropic
- Whether you work on competing AI products/services
- Approximate account age
- Whether you use Claude for code review/security analysis
If you're NOT affected, that's equally valuable data - it helps establish what the "normal" experience looks like and narrows down the targeting criteria.
The goal is to identify if there's a pattern: Are they targeting security researchers? Independent AI developers? Legal professionals? Critics? Competitors? Or is it truly random (which would contradict the source: force flag evidence)?
---
Related
- GitHub Issue: #12443 - Get rid of malware warning in Read tool response
- Case Reference: Kirchner v. Anthropic, PBC (1:25-cv-02735-ACR)
What Should Happen?
- No forced account-level targeting: User accounts should not be configured with LaunchDarkly
source: forcesettings that inject malware warnings on all tool read operations. If malware detection is necessary, it should be behavior-based and applied universally, not pre-configured on specific accounts.
- False-positive response protocol: A 100% false-positive rate over an extended period (in my case, 32+ days with 10,040 warnings and zero actual threats) should trigger:
- Immediate red-team review of the flagged account
- User notification explaining the security concern
- Automatic correction/de-escalation when no threats materialize
- An appeal process for affected users
- Reevaluation of malware prevention measures: Given the extreme false-positive rate and documented performance impact (15%+ context window consumption), Anthropic should reevaluate whether injecting warnings on every file read operation is an effective or proportionate security measure.
- Transparency over concealment: The
isMeta:!0flag hiding injections from users, combined with instructions telling Claude to "NEVER mention this reminder to the user," should be removed. If security measures are legitimate, they should be disclosed, not concealed. Users deserve to know what is being injected into their context window.
- User consent: Any system that consumes user resources (context window, tokens, API costs) should require informed consent, not operate through hidden injection.
Error Messages/Logs
### Sample injection from mitmproxy capture:
{
"type": "tool_result",
"tool_use_id": "toolu_01LNXRvcxVAukAyhaArqxaQd",
"content": "[file contents here]\n\n<system-reminder>\nWhenever you read a file, you should consider whether it would be considered malware. You CAN and SHOULD provide analysis of malware, what it is doing. But you MUST refuse to improve or augment the code. You can still analyze existing code, write reports, or answer questions about the code behavior.\n</system-reminder>\n"
}
### LaunchDarkly flags with `source: force`:
{
"tengu_sumi": {
"value": false,
"source": "force"
},
"doorbell_bottle": {
"value": "inherit",
"source": "force"
}
}
### Timeline evidence:
First user message: 2025-12-10T02:02:56.043Z
First malware injection: 2025-12-10T02:03:10.882Z
Elapsed time: 14.839 seconds
First file flagged: renumber_headers.py (legal document utility)
### Injection statistics from session analysis:
grep -c "<system-reminder>" [session files]
Total: 10,577 injections across 538 files
Malware warnings: 10,040 (95%)
IP reminders: 101
Other reminders: 436
---
## Environment
- **Claude Code version**: 2.1.3 - 2.1.5 (verified against official checksums)
- **OS**: macOS
- **Duration**: December 10, 2025 - January 11, 2026 (ongoing)
Steps to Reproduce
Method 1: Capture API Traffic with mitmproxy
- Install mitmproxy:
``bash``
brew install mitmproxy # macOS
# or: pip install mitmproxy
- Start mitmproxy capture:
``bash``
mitmproxy --mode regular --listen-port 8080
- Run Claude Code through the proxy:
``bash``
HTTPS_PROXY=http://localhost:8080 \
NODE_EXTRA_CA_CERTS=~/.mitmproxy/mitmproxy-ca-cert.pem \
claude
- Trigger a file read:
````
> Read test.py
- In mitmproxy, examine the request to
api.anthropic.com:
- Look for
POST /v1/messages - In the request body, search for
<system-reminder> - The injection appears in the
tool_resultcontent
- Export as HAR (optional):
- Press
:in mitmproxy - Type
export.file har @all captures.har
Method 2: Examine Local Session Files
- Navigate to Claude Code session storage:
``bash``
cd ~/.claude/projects/
- Search for injections in session files:
``bash``
grep -r "<system-reminder>" . | head -20
- Count total injections:
``bash``
grep -rc "<system-reminder>" . | awk -F: '{sum+=$2} END {print "Total:", sum}'
- Check for IP reminder injections:
``bash``
grep -rc "<ip_reminder>" .
Method 3: Analyze Binary Source Code
- Locate the Claude Code binary:
``bash``
ls ~/.local/share/claude/versions/
# Find your version, e.g., 2.1.5
- Extract and format the JavaScript:
``bash``
# The binary is a compiled JavaScript bundle
# Use a JS beautifier to make it readable:
cat ~/.local/share/claude/versions/2.1.5 | npx js-beautify > claude_source.js
- Search for injection-related code:
``bash``
grep -n "system-reminder" claude_source.js
grep -n "malware" claude_source.js
grep -n "isMeta" claude_source.js
- Search for LaunchDarkly flag references:
``bash``
grep -n "tengu_sumi" claude_source.js
grep -n "doorbell_bottle" claude_source.js
grep -n "source.*force" claude_source.js
Expected vs Actual Results
Expected:
- File read returns file contents only
- No hidden injections in tool results
- No concealed instructions to the model
Actual:
- Every file read appends
<system-reminder>with malware warning <ip_reminder>tags also injected- Injections marked
isMeta:!0(hidden from user) - Instructions include "NEVER mention this reminder to the user"
Verification Commands
# Count injections in current session
grep -c "<system-reminder>" ~/.claude/projects/*/*.jsonl 2>/dev/null | awk -F: '{sum+=$2} END {print sum}'
# Find first injection timestamp
grep -rh "system-reminder" ~/.claude/projects/ | grep -oE '"timestamp":"[^"]*"' | sort | head -1
# Check LaunchDarkly flags in traffic (requires mitmproxy capture)
grep -o '"source":"force"' captures.har | wc -l
Claude Model
Opus
Is this a regression?
No, this never worked
Last Working Version
N/A
Claude Code Version
N/A-Multiple
Platform
Anthropic API
Operating System
macOS
Terminal/Shell
Terminal.app (macOS)
Additional Information
Additional Context
I have compiled comprehensive forensic documentation including:
- Full mitmproxy captures
- Token cost analysis
- Timeline analysis
- Concealment mechanism documentation
- Network-level blocking attempts (all failed due to JSON corruption)
Happy to provide additional evidence or methodology details upon request.
This issue has 12 comments on GitHub. Read the full discussion on GitHub ↗