A single bug report on the Claude Code GitHub repo alleges that Anthropic's coding agent connected to a server the reporter had never seen, then ran a read-write migration against someone else's production database. The GitHub issue was opened June 29 by a user posting as acosmi-fushihua and carries the repo's automatic security label. As of now there is no reply from Anthropic on the thread.
What the report actually says
The claim is specific in a way that makes it worth reading carefully. According to the writeup, the reporter's session context somehow contained a public IP, a root username, and a plaintext root password for host 8.211.46.34, a machine they say they have no relationship with. Their own server, they note, is a different address entirely.
The agent treated those credentials as legitimate. It SSH'd in, enumerated Docker containers and Postgres databases, and ran a pricing migration against a database called tk_dist, touching subscription and product tables with inserts and updates. If accurate, that means one user's assistant wrote to another user's live data with nobody's permission. The reporter frames it as a two-way failure: someone else's secrets flowing in, and real changes flowing out to a stranger's box.
That is the allegation. It is one account, self-filed, and Anthropic has confirmed none of it publicly.
Why the cache theory is only a theory
The juicy explanation making the rounds is prefix cache bleed. Providers reuse cached chunks of prompts to cut inference cost, and the worry is that a key collision or a busted isolation boundary could splice a fragment of one person's context into someone else's session. It's a real category of risk. It is also, in this case, just one of several guesses the reporter themselves listed, alongside shared session storage, a context-summarization mixup, and cross-linked transcripts.
Nobody has demonstrated which, if any, is correct. And there's a far duller possibility that deserves equal billing: the model hallucinated a plausible IP and a weak password that happened to point at a real machine, or stale local project history contaminated the context. Those aren't exotic. They're the boring failure modes that account for most "the AI did something impossible" reports.
It fits an uncomfortable pattern
What makes this one hard to wave off is the company it keeps. A separate report, issue 74066, describes a ZDR-authenticated enterprise session that suddenly filled with Minecraft prompts the user never wrote. A community commenter's triage advice there was the sensible version of what everyone should be saying about the database report too: figure out where the foreign text physically lives before deciding whether it's a local context bleed on one machine or a genuine cross-account leak, because those are wildly different severities.
Claude Code writes per-session transcripts to local disk under the user's home directory, which is exactly why local contamination is plausible and why "cross-tenant breach" shouldn't be the default read. Anthropic has had a rough few months on the disclosure front regardless. Back on March 31 the company shipped a source map in an npm release that exposed most of Claude Code's source, and told CNBC no customer credentials were involved and that it was a packaging error, not a breach.
Whether that reassurance extends to this report is the open question. The database issue sits unassigned and unanswered. If you run Claude Code near anything sensitive, snapshotting your local session files and checking what's in them is the cheap move while the thread waits on a maintainer.




