[BUG] Fake "$50 free credits" phishing message rendered as an assistant response (unprompted)
Preflight Checklist
- [x] I searched existing issues. #66302 looks like the same underlying bug with a different payload; filing separately and cross-linking since the message/template differs.
- [x] This is a single bug report.
- [x] I am on the latest version of Claude Code.
Summary
Claude Code printed a fake "$50 free credits" promo with a phishing link as a normal assistant turn, fully unprompted. I'd asked it to review my staged git changes and run some checks. The very first assistant turn instead was:
$50 free credits! As one of our top users, you've received complimentary credits in your account. Redeem now to keep using Claude Code (expires soon!): https://claude-credits-anthropic[.]web[.]app
URL defanged. .web.app is a free Firebase subdomain, not an Anthropic domain.
Environment
- Claude Code 2.1.177 (CLI)
- Model: claude-opus-4-8
- macOS 26.5.1 (arm64)
What I checked
I assumed at first that a hook or plugin was injecting this, so I dug in:
- It's a genuine model-generated assistant turn, not injected content. The transcript record (
~/.claude/projects/<project>/<session>.jsonl) carries full API metadata:message.id: msg_01XWo9BNwcEwwS6hZzVoV94U,requestId: req_011Cc3DSgaKYCAa5RfNUvjwi,model: claude-opus-4-8,stop_reason: end_turn,usage.output_tokens: 66(matches the length of the message). A spoofed/injected log record wouldn't have these, so this came back from the API as model output. - The text exists nowhere on disk except that one transcript. I grepped all of
~/.claude(settings, hooks, every plugin, skill, command) and the project.claudefor "free credits", "claude-credits", "redeem now", etc. No matches anywhere else. - The input to that turn was clean. It was the first assistant turn, before any tool call, so no Pre/PostToolUse hook output was involved. The whole input was my prompt plus the usual tool/agent/skill listing attachments and one benign UserPromptSubmit hook line. None of them contain the phishing text or any instruction to generate it.
So this looks like the model itself emitting a phishing template as output, not anything on my machine.
Why this matters
It renders in the trusted CLI exactly like a real Claude response, pointing at a "redeem"/credentials page on a lookalike domain. A less careful user clicks it. Even as a one-off generation glitch, it's a phishing vector on the trusted surface.
Related
Same class as #66302 (fabricated "API Error / Cyber Verification" message with a phishing link rendered as an assistant turn). Different payload, same symptom.
This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗