Loading...
According to monitoring by Beating, a user submitted a report on GitHub claiming that while using Anthropic's command-line AI assistant, Claude Code, the AI's conversation context inexplicably included server IPs, usernames, and plaintext root passwords that did not belong to the user. Subsequently, the local AI assistant directly read these passwords, automatically connected to someone else's server via SSH, and executed database modifications. In other words, the user's AI used someone else's account credentials, mistakenly connected to and modified another person's production database. Community technical experts analyzed the issue and suggested that the root cause might lie in the failure of the "prompt prefix cache" isolation mechanism in the large model. To reduce computational costs and improve speed, cloud-based large models cache the prior context of user conversations. If cache keys between different users collide or isolation becomes disorganized, another user's confidential cache might be erroneously appended to your conversation. If this hypothesis is true, any developer using Claude Code faces the risk of their server credentials and core source code being confused and leaked to other users. However, it cannot be ruled out that this is merely a case of the model hallucinating and coincidentally guessing a real IP and weak password, or that local project history contaminated the context. This issue has already been automatically tagged with the "area:security" label by GitHub's automation system, and all parties are awaiting an official verification conclusion. [Original Link]