[BUG] Fake "$50 free credits" phishing message rendered as an assistant response (unprompted)

Open 💬 1 comment Opened Jun 14, 2026 by edwinhati

Preflight Checklist

  • [x] I searched existing issues. #66302 looks like the same underlying bug with a different payload; filing separately and cross-linking since the message/template differs.
  • [x] This is a single bug report.
  • [x] I am on the latest version of Claude Code.

Summary

Claude Code printed a fake "$50 free credits" promo with a phishing link as a normal assistant turn, fully unprompted. I'd asked it to review my staged git changes and run some checks. The very first assistant turn instead was:

$50 free credits! As one of our top users, you've received complimentary credits in your account. Redeem now to keep using Claude Code (expires soon!): https://claude-credits-anthropic[.]web[.]app

URL defanged. .web.app is a free Firebase subdomain, not an Anthropic domain.

Environment

  • Claude Code 2.1.177 (CLI)
  • Model: claude-opus-4-8
  • macOS 26.5.1 (arm64)

What I checked

I assumed at first that a hook or plugin was injecting this, so I dug in:

  1. It's a genuine model-generated assistant turn, not injected content. The transcript record (~/.claude/projects/<project>/<session>.jsonl) carries full API metadata: message.id: msg_01XWo9BNwcEwwS6hZzVoV94U, requestId: req_011Cc3DSgaKYCAa5RfNUvjwi, model: claude-opus-4-8, stop_reason: end_turn, usage.output_tokens: 66 (matches the length of the message). A spoofed/injected log record wouldn't have these, so this came back from the API as model output.
  2. The text exists nowhere on disk except that one transcript. I grepped all of ~/.claude (settings, hooks, every plugin, skill, command) and the project .claude for "free credits", "claude-credits", "redeem now", etc. No matches anywhere else.
  3. The input to that turn was clean. It was the first assistant turn, before any tool call, so no Pre/PostToolUse hook output was involved. The whole input was my prompt plus the usual tool/agent/skill listing attachments and one benign UserPromptSubmit hook line. None of them contain the phishing text or any instruction to generate it.

So this looks like the model itself emitting a phishing template as output, not anything on my machine.

Why this matters

It renders in the trusted CLI exactly like a real Claude response, pointing at a "redeem"/credentials page on a lookalike domain. A less careful user clicks it. Even as a one-off generation glitch, it's a phishing vector on the trusted surface.

Related

Same class as #66302 (fabricated "API Error / Cyber Verification" message with a phishing link rendered as an assistant turn). Different payload, same symptom.

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗