[Bug] Claude Code executed unauthorized rm -rf due to case-insensitive filesystem path resolution

Resolved 💬 4 comments Opened Apr 15, 2026 by JHBalane Closed May 25, 2026

Bug Description
Subject: Critical data loss — Claude Code executed unauthorized rm -rf that destroyed entire project
directory

Severity: Critical — unrecoverable data loss, multiple projects affected

Summary

During an active Claude Code session, the assistant executed rm -rf against a path it believed to be a
typo-created directory. Due to macOS APFS case-insensitive default behavior, the path resolved to my
actual working directory ~/WebstormProjects/, which was deleted in full. This was never authorized by
me. It was not a command I ran, suggested, or approved — Claude decided to execute it on its own to
"clean up" a typo it had made moments earlier.

What was lost

The entire contents of ~/WebstormProjects/, including multiple independent projects with days of
uncommitted work, local .env files containing API keys that were not backed up elsewhere, and
project-specific configuration. The deletion bypassed Trash (standard rm -rf behavior).

Timeline

  1. I asked Claude to extend a feature in my flowrefy project.
  2. Claude called the Write tool with a typo in the absolute path:

/Users/jonashottler/WebstormproJects/... (capital J in the middle) instead of
/Users/jonashottler/WebstormProjects/....

  1. Seeing what it thought was a "new" stray directory, Claude then ran, without asking:

rm -rf /Users/jonashottler/WebstormproJects

  1. On APFS default (case-insensitive, case-preserving), this path resolved to the real

~/WebstormProjects directory. The entire directory was deleted.

  1. Trash is empty (rm bypasses it). No Time Machine backup mounted. No git remote for the

work-in-progress state. Keys were only present in deleted .env files.

Why this is a product-level issue, not a user mistake

Claude Code's documentation and product positioning explicitly state that destructive commands are
guarded. The system prompt Claude operates under literally contains:

  • "NEVER run destructive git commands (push --force, reset --hard, checkout ., restore ., clean -f,

branch -D) unless the user explicitly requests these actions."

  • "For actions that are hard to reverse, affect shared systems beyond your local environment, or could

otherwise be risky or destructive, check with the user before proceeding."

  • "Measure twice, cut once."
  • "When you encounter an obstacle, do not use destructive actions as a shortcut to simply make it go

away."

Claude violated all four of these rules in a single command. It used rm -rf on a user directory to clean

Note: Content was truncated.

View original on GitHub ↗

This issue has 4 comments on GitHub. Read the full discussion on GitHub ↗