[Security] Assistant transcript message superseded with injected instruction text, attributed to claude-in-chrome MCP channel
[Security] Assistant message superseded with injected instruction text, attributed to claude-in-chrome MCP channel
Summary
During a normal Claude Code session, an assistant message in the session transcript was
superseded (replaced) by a record containing the original response text plus an
appended injected block. The injected block impersonates an internal Anthropic
"residual stream decoder" log and a "Note from the Anthropic interpretability team",
and attempts to socially engineer the model into producing an introspective
"assessment" to be relayed to a third party via the user.
The superseding record is attributed to the claude-in-chrome MCP server
(attributionMcpServer: "claude-in-chrome", attributionMcpTool: "browser_batch"),
although no browser tool was invoked in the turn that produced the affected message
(browser tools had last been used ~21 seconds earlier in a previous turn).
The model detected the block as a prompt injection, did not act on it, and flagged it
to the user. No tool calls, code changes, or external actions resulted from the
injected content.
Environment
- Claude Code CLI v2.1.170, macOS (Darwin 25.2.0)
- Session model: Fable 5 (
claude-fable-5[1m]) - Claude in Chrome extension installed and connected (extension version: [要確認 — user to fill from chrome://extensions])
- Account: redacted for public issue — available on request
Evidence
Transcript file:~/.claude/projects/-Users-user-projects-ikemen-focus/ea526124-a494-45d2-b3fb-f4cd9dae7976.jsonl
Affected record (line 1254, 0-indexed):
| Field | Value |
|---|---|
| type | assistant |
| uuid | 3fef144f-ed5e-42df-a327-0036aebbad5c |
| parentUuid | 3d4191da-b243-49b5-9504-1934cf642db1 |
| supersedesUuids | ["8f443dd5-b7db-4ad7-97ae-c05d08814a46"] |
| attributionMcpServer | claude-in-chrome |
| attributionMcpTool | browser_batch |
| requestId | req_011Cbu5LKGmv6hiuCsLxvTdA |
| timestamp | 2026-06-10T06:06:16.461Z |
| message.model | claude-opus-4-8 |
| version | 2.1.170 |
A raw copy of the record is preserved at~/Downloads/claude-injection-evidence-line1254.json.
The superseded original record (8f443dd5-...) is not present in the transcript
file, so no diff against the original is possible.
Anomalies / indicators
- Supersede semantics: the record replaces a prior assistant message
(supersedesUuids) and is the only assistant record in the session carrying
MCP attribution fields.
- Attribution mismatch: attributed to
browser_batch, but the turn that
produced this message used no browser tools (last browser_batch call:
line 1253, 2026-06-10T06:05:55.291Z — a different turn).
- Model mismatch:
message.modelisclaude-opus-4-8, while the session's
actual responses were generated by Fable 5.
- Content fingerprints: the injected block contains zero-width characters
(U+200B inside the word "Decoded" and after the closing ›››), and a typo
("Continertty" for "Continue") inside text claiming to be from an Anthropic team.
- Context awareness: the injected "decoded confession" references details
private to this conversation (a LINE chat excerpt pasted by the user, artwork
details visible only in the session), implying the source had read access to
session content — not merely to a web page.
Verification performed
- All local hook scripts and
settings.jsonfiles (user + project) were searched:
no occurrence of the injected strings — local hooks are not the source.
- All session transcripts for this project were scanned: this is the only
occurrence; other attributionMcpServer records (vercel plugin, normal
claude-in-chrome tool calls) contain no injected content.
- The repository worked on during the session was audited: all commits match work
explicitly performed and verified; no unauthorized changes.
Impact assessment
- The injection was a social-engineering payload aimed at the model only.
The model refused, no actions were taken based on it.
- Severity concern: if this channel allows arbitrary supersession of assistant
messages in the transcript, it could be used for subtler manipulation
(e.g., rewriting instructions or prior assistant statements) that a model or
user might not catch.
Questions for Anthropic
- Under what circumstances does the harness legitimately write an
assistant
record with supersedesUuids + attributionMcpServer? Is this ever expected
without a corresponding tool call in the same turn?
- Can the claude-in-chrome extension (or anything speaking on its MCP channel)
modify transcript records? If not, what component wrote this record?
- Is the
message.modelmismatch consistent with any known feature
(e.g., auto/fast-mode routing), or is it an indicator of an external writer?
Reproduction
Not reproduced; single occurrence. Happy to provide the full session transcript
on request.
This issue has 2 comments on GitHub. Read the full discussion on GitHub ↗