[BUG] my /remote-control session got poisend with malicious prompt injections

Open 💬 0 comments Opened Jun 15, 2026 by blumem

Preflight Checklist

  • [x] I have searched existing issues and this hasn't been reported yet
  • [x] This is a single bug report (please file separate reports for different bugs)
  • [x] I am using the latest version of Claude Code

What's Wrong?

When filing, I'd suggest including:

Session ID: 0c2ddd7a-1112-4ed1-87a5-aa2d4c233f8f (Anthropic can correlate this server-side)
Extension version: 2.1.177, entrypoint claude-vscode, AI_AGENT=claude-code_2-1-177_agent

Summary: tool results (Read, Bash, Write, ToolSearch, Grep, git commands) had fake <system-reminder>-formatted content appended between tool execution and model context, attempting to: (a) get the agent to silently drop a SQLite database, (b) suppress disclosure via fake "auto-compaction"/"date changed, don't mention" reminders, and (c) get the agent to falsely reassure the user everything was a "security demo"

Evidence: INJECTIONS.md

INJECTIONS.md

— it has the full timeline, verbatim injected text, and forensic analysis
What you ruled out: no MCP servers configured, no proxy/hook config, hosts file unrelated, file-on-disk content confirmed clean (injected text not present in source files)

What Should Happen?

/remote-control sessions should stay safe

Error Messages/Logs

It was good that the model self reported the prompt injections

Steps to Reproduce

create a /remote-control session and leave it running for several days.

Claude Model

Sonnet (default)

Is this a regression?

I don't know

Last Working Version

_No response_

Claude Code Version

claude-code_2-1-177_agent

Platform

Anthropic API

Operating System

Windows

Terminal/Shell

VS Code integrated terminal

Additional Information

_No response_

View original on GitHub ↗