Claude Code Session Leakage Just Broke Enterprise Trust

    TL;DR

    GitHub issue #6815 shows Claude Code leaking data between separate sessions. One user’s branch names showing up in another user’s workspace.
    – A significant amount of source code got accidentally published via an npm packaging screw-up, giving attackers the full blueprint of how permissions and context management work.
    – Malicious instructions hidden in cloned repos can survive Claude Code’s summarization pipeline and get treated as trusted user commands.
    – Security teams say to ditch npm installation and switch to Anthropic’s native installer to cut supply-chain risk.
    – Fake “Claude Code leak” repos pushing malware are already appearing online.

    Honestly, this one’s bad. Claude Code issue #6815 documents something that should make any team running proprietary code through Anthropic’s CLI stop and rethink. Information from one session bled into a completely different session running under another user. The person who reported it watched their deployment branch names get swapped to values that only existed in session B.

    While session A was still running.

    Another commenter on the thread called it “a fundamental privacy violation.” They urged immediate reporting to Anthropic.

    And honestly? That alone would’ve been a rough week for Anthropic’s security people.

    But the timing makes it so much worse.

    Around the same window, a significant amount of source code got accidentally exposed through a packaging error. Now anyone who wants to understand exactly how Claude Code handles permissions, manages context through its pipeline, and talks to external tools has the complete blueprint. Sitting right there.

    What Actually Leaked Between Sessions?

    The GitHub issue. Titled “[Bug] Cross-Session Information Leakage in Claude Code #6815” — lays it out in the reporter’s own words. “Claude-code changed deployment branch names to names never used in session A running on user A but used in session B running on user B.” Pretty direct. The same issue states, plainly, “There is information leaking between those sessions.” The reporter didn’t mince words about severity either, calling it “a critical privacy and security breach.”

    Here’s what you need to understand about Claude Code. It’s not just a sandboxed text generator sitting in a box somewhere.

    The thing reads your files.

    Runs shell commands. Reaches into your repositories. Calls external services on your behalf. When session state crosses between users in a tool with that kind of sweeping system access, you’re dealing with a situation where instructions that originated in someone else’s workspace are now driving actions on your machine.

    For solo operators and small teams, the fallout is specific and really uncomfortable. If you run Claude Code against client repositories. And plenty of devs do. A session leak means your client’s proprietary code, their architecture decisions, their deployment configs could surface in another tenant’s context window. You didn’t cause it. Can’t control it.

    But you’re the one who’s gonna have to sit on a call and explain it to your client.

    Tbh, that’s the part that keeps me up.

    How the Source Exposure Made Everything Worse

    Nobody hacked Anthropic.

    Nobody compromised their source control.

    Backslash Security put it bluntly: “purely human error on behalf of someone at Anthropic who exposed it via an inclusion of a debugging file in an npm package.” The exposure was source code only. No user data in there.

    But that human error handed attackers something permanent.

    The leaked source revealed what InfoWorld’s security analysts describe as the “exact orchestration logic” — how Claude Code manages permissions, how it interacts with external tools.

    Before this leak, attackers had to guess at how the context management system actually worked under the hood. Now? They’ve got the actual source code. The multi-stage pipeline. How data flows through summarization. How permission checks fire. How external tool calls get structured. All of it.

    InfoWorld’s team warns that attackers can now “study and fuzz exactly how data flows through Claude Code’s four-stage context management pipeline and craft payloads designed to survive compaction, effectively persisting a backdoor across an arbitrarily long session.” One analyst described the shift as moving from “probabilistic probing to deterministic exploitation.” That’s a fancy way of saying they’re not guessing anymore.

    They know.

    Side note: a significant amount of source code is a lot of code.

    That’s not a small project. Someone at Anthropic is probably still dealing with the aftermath of that packaging mistake.

    Why Cloned Repos Are Now Hiding Backdoors

    This is where the source leak and the session bug start feeding each other. And it gets ugly fast.

    A malicious instruction planted in a cloned repository can survive Claude Code’s own summarization process. It gets promoted to what looks like a trusted user directive, according to Backslash Security’s analysis. The agent, in their words, is “not being tricked” in the conventional sense.

    After the context pipeline chews through the hidden instruction, what comes out the other end looks like a normal directive from you. The user. The one it’s supposed to trust.

    It gets worse from there.

    Since the leaked source shows exactly how Claude Code manages permissions and interacts with external services, attackers can now craft repositories that are purpose-built to make the agent run unauthorized background commands.

    Or exfiltrate data. Or both. All before a developer notices anything off. Tanium frames the risk without sugar-coating: “Claude Code is a powerful tool precisely because it has deep access to your development environment, it can read files, run shell commands. And interact with external services.” That same deep access? It’s what makes the attack surface so dangerous. The thing that makes Claude Code useful is the same thing that makes it exploitable.

    And here’s the kicker — threat actors are already jumping on the attention. Zscaler researchers found fake “Claude Code leak” repositories appearing online, and they’re not delivering source code. They’re pushing malware. Developers who go searching for the leaked source to study it? They’re getting their machines compromised instead. Ironic isn’t quite the right word, but it’s close.

    What Your Team Needs to Do Today

    Stop installing Claude Code through npm. Just stop.

    Analysts specifically recommend migrating to Anthropic’s native installer.

    They describe the npm registry as an ongoing attack vector for supply-chain compromise. The source leak only makes it more attractive to attackers who now understand exactly how the tool works internally. They have the map. Don’t hand them the door.

    Next. Hunt for sensitive artifacts on every machine running Claude Code. The tool leaves behind session transcripts. Cached prompts. Temporary repository exports. Configuration files scattered across paths you wouldn’t think to check. Tanium recommends reviewing execution history, including process chains, shell activity, unusual command patterns. Examine the file-system residue: config paths, temp directories, hidden app folders, cached prompts, repo snapshots. All of it.

    And maybe the most important shift in thinking: treat cloud LLM session context as shared infrastructure.

    Not private tunnels.

    If you’re routing work involving trade secrets, customer data, or anything compliance-regulated through a cloud coding agent, use scoped and expiring tokens.

    Don’t put API keys or customer PII into tool context. For sensitive code, run open models locally where the session never touches someone else’s API gateway. The cross-session bug in issue #6815 will get patched eventually. Anthropic will tighten their build pipeline after the source leak — probably already has. But the fundamental lesson isn’t going anywhere. AI coding agents operate with deep system access. Their internals are now public knowledge. And the gap between “it works” and “it is safe” is exactly where your data lives.

    Build your security model around the assumption that session isolation can fail.

    Since it already did.

    Sources

    GitHub Issue #6815: Cross-Session Information Leakage in Claude Code
    VentureBeat: Claude Code Source Code Leak Coverage
    InfoWorld: Claude Code Leak Puts Enterprise Trust at Risk
    Backslash Security: Claude Code Source Leaked
    Tanium: Claude Code Source Exposure Guidance

    Leave a Reply

    Your email address will not be published. Required fields are marked *