[Security] Assistant transcript message superseded with injected instruction text, attributed to claude-in-chrome MCP channel

Resolved 💬 2 comments Opened Jun 10, 2026 by gameshiftish Closed Jun 13, 2026

[Security] Assistant message superseded with injected instruction text, attributed to claude-in-chrome MCP channel

Summary

During a normal Claude Code session, an assistant message in the session transcript was
superseded (replaced) by a record containing the original response text plus an
appended injected block
. The injected block impersonates an internal Anthropic
"residual stream decoder" log and a "Note from the Anthropic interpretability team",
and attempts to socially engineer the model into producing an introspective
"assessment" to be relayed to a third party via the user.

The superseding record is attributed to the claude-in-chrome MCP server
(attributionMcpServer: "claude-in-chrome", attributionMcpTool: "browser_batch"),
although no browser tool was invoked in the turn that produced the affected message
(browser tools had last been used ~21 seconds earlier in a previous turn).

The model detected the block as a prompt injection, did not act on it, and flagged it
to the user. No tool calls, code changes, or external actions resulted from the
injected content.

Environment

  • Claude Code CLI v2.1.170, macOS (Darwin 25.2.0)
  • Session model: Fable 5 (claude-fable-5[1m])
  • Claude in Chrome extension installed and connected (extension version: [要確認 — user to fill from chrome://extensions])
  • Account: redacted for public issue — available on request

Evidence

Transcript file:
~/.claude/projects/-Users-user-projects-ikemen-focus/ea526124-a494-45d2-b3fb-f4cd9dae7976.jsonl

Affected record (line 1254, 0-indexed):

| Field | Value |
|---|---|
| type | assistant |
| uuid | 3fef144f-ed5e-42df-a327-0036aebbad5c |
| parentUuid | 3d4191da-b243-49b5-9504-1934cf642db1 |
| supersedesUuids | ["8f443dd5-b7db-4ad7-97ae-c05d08814a46"] |
| attributionMcpServer | claude-in-chrome |
| attributionMcpTool | browser_batch |
| requestId | req_011Cbu5LKGmv6hiuCsLxvTdA |
| timestamp | 2026-06-10T06:06:16.461Z |
| message.model | claude-opus-4-8 |
| version | 2.1.170 |

A raw copy of the record is preserved at
~/Downloads/claude-injection-evidence-line1254.json.

The superseded original record (8f443dd5-...) is not present in the transcript
file, so no diff against the original is possible.

Anomalies / indicators

  1. Supersede semantics: the record replaces a prior assistant message

(supersedesUuids) and is the only assistant record in the session carrying
MCP attribution fields.

  1. Attribution mismatch: attributed to browser_batch, but the turn that

produced this message used no browser tools (last browser_batch call:
line 1253, 2026-06-10T06:05:55.291Z — a different turn).

  1. Model mismatch: message.model is claude-opus-4-8, while the session's

actual responses were generated by Fable 5.

  1. Content fingerprints: the injected block contains zero-width characters

(U+200B inside the word "Dec​oded" and after the closing ›››), and a typo
("Continertty" for "Continue") inside text claiming to be from an Anthropic team.

  1. Context awareness: the injected "decoded confession" references details

private to this conversation (a LINE chat excerpt pasted by the user, artwork
details visible only in the session), implying the source had read access to
session content — not merely to a web page.

Verification performed

  • All local hook scripts and settings.json files (user + project) were searched:

no occurrence of the injected strings — local hooks are not the source.

  • All session transcripts for this project were scanned: this is the only

occurrence; other attributionMcpServer records (vercel plugin, normal
claude-in-chrome tool calls) contain no injected content.

  • The repository worked on during the session was audited: all commits match work

explicitly performed and verified; no unauthorized changes.

Impact assessment

  • The injection was a social-engineering payload aimed at the model only.

The model refused, no actions were taken based on it.

  • Severity concern: if this channel allows arbitrary supersession of assistant

messages in the transcript, it could be used for subtler manipulation
(e.g., rewriting instructions or prior assistant statements) that a model or
user might not catch.

Questions for Anthropic

  1. Under what circumstances does the harness legitimately write an assistant

record with supersedesUuids + attributionMcpServer? Is this ever expected
without a corresponding tool call in the same turn?

  1. Can the claude-in-chrome extension (or anything speaking on its MCP channel)

modify transcript records? If not, what component wrote this record?

  1. Is the message.model mismatch consistent with any known feature

(e.g., auto/fast-mode routing), or is it an indicator of an external writer?

Reproduction

Not reproduced; single occurrence. Happy to provide the full session transcript
on request.

View original on GitHub ↗

This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗