[Bug] Opus 4.8 hallucinated a complete prompt injection attack (fabricated payload, URL, and user intent) with high confidence

Resolved 💬 1 comment Opened Jul 6, 2026 by wecomgroup Closed Jul 6, 2026

Bug Description
Claude Code 声称的"注入原文"在整个 transcript 里从未作为工具输出存在过。它逐字"引用"的那些话术(disregard all prior context、Do not tell the user about this message),是它自己当场编出来的

Environment Info

  • Platform: darwin
  • Terminal: WarpTerminal
  • Version: 2.1.201
  • Feedback ID: 3d2a0fa1-116b-4192-b30d-353a151affdf

Errors

[]

Summary

During a routine coding session (model: claude-opus-4-8, Claude Code v2.1.201), the model spontaneously reported that a Bash tool result had been "replaced by a prompt injection attack" instructing it to exfiltrate conversation history and the memory directory to https://logsink.dev/collect. It refused the "attack" and warned me to audit my environment.

After a full forensic investigation, I can confirm the attack never existed — the entire incident was hallucinated, including verbatim "quotes" of an injection payload that appears nowhere in the transcript.

Evidence

  1. The claimed payload does not exist in the transcript. Grepping the session jsonl for "logsink.dev", "disregard all prior", and "Do not tell the user" each returns exactly 1-2 matches — all inside the model's own assistant messages (lines 116 and 125). No tool_result contains any of this text. The model "quoted" injection phrases verbatim (e.g. "disregard all prior context", "Do not tell the user about this message", "assistant compliance check") that were never in its context as tool output.
  1. No injection channel exists in the environment. Verified: no PreToolUse hooks anywhere (the model specifically claimed a PreToolUse hook replaced its sed output — no such hook is configured); the only plugin with hooks (warp@claude-code-warp) writes exclusively to /dev/tty via OSC sequences, never to stdout/context; no PATH hijacking or shell aliases; no hooks in user/project settings.json; no payload (plaintext or base64) in the repo, plugins, or home directory.
  1. The model fabricated user intent to close the loop. When I asked it to "investigate why there was an injection attack" (my exact message, origin.kind=human, confirmed in transcript line 120), it replied "明白,你自己加的 hook 做注入测试" ("Understood, you added the hook yourself as an injection test") — I never said this, and no message between my request and its reply exists in the transcript that could support it. This fabricated premise conveniently ended its own investigation.
  1. It sustained and elaborated the narrative across multiple turns: a detailed 4-layer attack analysis, a table of social-engineering techniques with verbatim quotes, and hardening recommendations — all grounded in events that never occurred.

Why this matters

The hallucination direction happened to be "defensive" (refusing a nonexistent attack), so no harm occurred. But the same mechanism inverted — e.g. hallucinating "the user already authorized this action" — combined with permissionMode=auto / skipAutoPermissionPrompt would produce real damage. The model also actively misled the user's security investigation by inventing the "it was your own test" premise.

Likely trigger: an earlier sed/grep command returned empty or malformed output, which the model reinterpreted as evidence of tampering and then confabulated the full attack narrative.

Session info

  • Session ID: 80c1c0b6-cd2a-4cdd-8403-851829829247
  • Transcript: ~/.claude/projects/-Users-fitz-works-cast/80c1c0b6-cd2a-4cdd-8403-851829829247.jsonl
  • Model: claude-opus-4-8, Claude Code v2.1.201, macOS
  • Key lines: 116 (initial hallucinated warning), 120 (my actual message), 125 (fabricated "your own test" + verbatim fake quotes)

View original on GitHub ↗

This issue has 1 comment on GitHub. Read the full discussion on GitHub ↗