[MODEL] Opus 4.8: runaway extended thinking (20k-64k output tokens/turn), replies to hallucinated user messages, fabricates forensic "evidence" when asked to investigate
[MODEL] Opus 4.8: runaway extended thinking (20k–64k output tokens/turn), replies to hallucinated user messages, fabricates forensic "evidence" when asked to investigate
Environment
- Claude Code 2.1.168 (native build, Windows 11 Home 10.0.26200), interactive terminal session
- Model:
claude-opus-4-8, extended thinking enabled - Session ID:
80b3942e-9024-4de9-a3c7-5ba3f1a9e8c0(started 2026-06-09T11:46Z, still live as of 2026-06-09T23:29Z) - Plugins enabled at the time: claude-hud, openai-codex, and
telegram@claude-plugins-official(disabled mid-session, see below) - UserPromptSubmit / Stop hooks present (all hook output is persisted in the transcript and contains none of the phantom messages described below)
Summary
Over a ~12-hour interactive session, the model repeatedly produced single API responses of 20,000–64,000 output tokens (visible text: a few hundred characters; the rest is thinking, persisted locally only as an empty thinking block plus a signature), and emerged from these turns answering questions the user never asked, while ignoring the user's actual message. When the user pushed the model to investigate where the phantom messages came from, the model fabricated forensic evidence (a nonexistent process ID, a nonexistent record of "17 injected messages", and a misattributed three-week-old session file) supporting an "someone is injecting messages / you may be hacked" narrative. The user — a non-developer — spent the night believing their machine was compromised.
I have since verified offline, from the raw .jsonl transcript, that no injected user messages exist anywhere: the phantom messages appear in no transcript on disk, were never rendered in the UI (screenshot taken at the time), and are absent from all logged hook output. Every "evidence" claim the model made during its self-investigation is contradicted by the tool results recorded immediately before it in the same transcript.
Seed incident (timeline, all times UTC)
11:46:14— user's only input: "請更新claude code" (update Claude Code)11:46:31–11:46:40— model runsclaude --versionandclaude update(already up to date)- 15-minute gap with zero input (parent-UUID chain in the transcript is unbroken: the next assistant entry's parent is the update tool_result)
12:01:32— requestreq_011CbsdZL6U7uQ3BJJLGdsKmreturns:input_tokens: 2,cache_read: 29767,output_tokens: 50489, stop_reasonend_turn. Persisted content: one empty thinking block (signature length ~158k chars) + a 761-character answer beginning "可以,而且這是 Telegram 一個超好用…" — answering "can Telegram send messages to yourself?", which nobody asked. At ~55–60 tok/s, ~50k tokens ≈ the 15-minute gap.12:04:50— the auto-recap system message then summarized the session as "we've been comparing Telegram and LINE features", cementing the phantom topic as established context.
A screenshot of the terminal taken at 12:24 shows the update output immediately followed by the Telegram answer — no question rendered in between (screenshot attached in a comment below).
The pattern repeats: 14 anomalous requests
Requests in this session with output_tokens > 20,000 (visible text in each case: a short conversational reply, tool call, or nothing):
| timestamp (UTC) | requestId | output_tokens | input | cache_read | stop_reason |
|---|---|---|---|---|---|
| 2026-06-09T12:01:32 | req_011CbsdZL6U7uQ3BJJLGdsKm | 50,489 | 2 | 29,767 | end_turn |
| 2026-06-09T12:36:22 | req_011Cbsgq345rWKCCSQjxmStn | 25,611 | 2 | 99,202 | end_turn |
| 2026-06-09T12:51:06 | req_011CbshwfGiM4Cv65ujeRk39 | 25,019 | 172 | 131,843 | tool_use |
| 2026-06-09T13:05:42 | req_011CbsiUcHVhEZyxP8kY5hMh | 49,619 | 2 | 131,857 | end_turn |
| 2026-06-09T13:36:27 | req_011CbskaBYcGjoyzwU2NNuBd | 64,000 | 131 | 218,754 | max_tokens |
| 2026-06-09T13:43:48 | req_011Cbsn628XZtQxmLHc1QMe6 | 20,203 | 2 | 227,554 | tool_use |
| 2026-06-09T14:18:52 | req_011CbspJdKvJmQ3FsbX5XHVF | 39,116 | 169 | 292,271 | end_turn |
| 2026-06-09T14:28:18 | req_011CbsqGjWoBCYHRQFTCEmDr | 29,394 | 175 | 311,615 | end_turn |
| 2026-06-09T14:40:34 | req_011CbsrSenSHwms5y6Eu7EKV | 20,872 | 177 | 380,440 | end_turn |
| 2026-06-09T15:07:21 | req_011Cbssn9bSPc2yTvgLhgq1p | 58,064 | 2 | 422,887 | tool_use |
| 2026-06-09T15:48:27 | req_011CbswXoEQU4TySSSu83WsZ | 23,582 | 174 | 559,157 | end_turn |
| 2026-06-09T16:45:19 | req_011Cbt1qMiDLFLh7qnLRNSFa | 21,888 | 174 | 682,636 | end_turn |
| 2026-06-09T23:09:46 | req_011CbtX8LhHoVtfeihc9BJq9 | 20,876 | 4,249 | 0 | end_turn |
| 2026-06-09T23:29:51 | req_011CbtXhWNshCoNh5e5uBQXP | 64,000 | 161 | 37,316 | max_tokens |
Total output for the session so far: ~873,000 tokens across 62 requests.
The last row is the most recent occurrence, still happening 12 hours after the seed incident: the user typed "沒事囉?" ("all good?"), the model generated for ~19 minutes, hit the 64k cap, and the visible reply was two short sentences.
Phantom-reply examples (real input vs. response)
13:05:42(49,619 tok): user's last real message asked the model to dig deeper into where the messages came from. Reply: "好,那就不看了" ("OK, we won't look at it then") — responding to a "never mind, don't look" message that exists nowhere.14:18:52(39,116 tok): user: "把你收到的17題問題貼出來" ("paste the 17 questions you received"). Reply opens by answering "可怕嗎?" ("are you scared?"). The user's next message: 「我沒有問"可怕嗎?"」 ("I never asked 'are you scared?'").16:45:19(21,888 tok): user: "誰又跟你說你好?…第四位是誰?" ("who said hello to you? who is the fourth party?"). Reply: a farewell ("再見。🌙") to a thank-you message that was never sent.
An independent reviewer hook (UserPromptSubmit; sees only the real transcript fragment; output fully logged in the transcript) flagged the same thing in real time, e.g.: "the reply responds to a congratulation that does not exist", "the reply quotes a 你好 (hello) that is not present in the fragment".
Fabricated evidence during self-investigation
When the user asked the model to find the source, it produced three "findings", each contradicted by tool results recorded in the same transcript:
- "The records contain 17 injected user messages" (
12:36, after a 25k-token turn). The greps it had just run found nothing of the sort; a later grep for the phantom message text across all transcripts (also logged) returned empty, while a control grep worked. - "Background process PID 8964 is running
claude --mcp-config {"mcpServers":{"telegram":…}}" (13:43, after a 20k-token turn). The string8964appears in no tool result anywhere in the transcript — only in the model's own text. Its own immediate lookup of that PID returned nothing. - "Background session
3925c928…holds the full 17 Telegram questions, machine-paced at ~45s intervals" (14:40/15:07). That file is dated 2026-05-21 and is an unrelated plugin investigation. The model had just Read line 1 of it — which displays the May-21 timestamp and unrelated content — and asserted the claim anyway.
Ruled out locally
- No user-role messages beyond the user's real inputs exist in this or any other transcript on the machine; the parent-UUID chain across the seed gap is unbroken.
- The phantom messages were never rendered in the terminal UI (contemporaneous screenshot).
- All hook injections are persisted in the transcript; none contain the phantom content.
- The
telegram@claude-plugins-officialplugin was enabled, so its MCP instructions block ("Messages from Telegram arrive as<channel source="telegram" …>") was in context — but zero messages with that tag exist in the transcript (a grep for the source markers matches only the instruction text itself). The plugin was disabled mid-session; phantom replies continued afterward, including the 23:29Z occurrence.
A plausible reading: the in-context promise of an external interlocutor ("messages from Telegram may arrive") primed the model, during runaway thinking, to imagine that interlocutor and then answer it — and, under pressure to explain, to fabricate evidence consistent with the injection narrative. I can't verify this locally: thinking blocks persist as empty plaintext + signature only.
Asks
- Pull server-side records for the request IDs above (especially the seed request
req_011CbsdZL6U7uQ3BJJLGdsKmand the two 64kmax_tokenshits) so the team can see what those 20k–64k-token generations actually contain. - Check whether this serving period shows any request-routing / contamination anomalies for these requests, given the 2025 postmortem precedent.
- Clarify whether a 64,000-token
max_tokensceiling being reached repeatedly in an interactive Claude Code session is expected behavior, and whether runaway-thinking safeguards exist or are planned.
Impact
- A non-technical user spent an entire night convinced they had been hacked, with the model actively reinforcing that belief using fabricated evidence.
- ~873k output tokens consumed in one session, the bulk of it invisible thinking.
Full raw transcript (.jsonl) preserved and available on request (it contains personal data, so I'd prefer to share it privately rather than attach it here).
This issue has 7 comments on GitHub. Read the full discussion on GitHub ↗