On Saturday, July 4, 2026, a developer filed a bug report on GitHub. He was using Anthropic’s Claude Code — an AI coding assistant for professional programmers, running inside an enterprise-grade secure workspace. He was about to ask the AI for help with a development task when, out of nowhere, it asked him: “What color bricks do you want for the Minecraft temple?”
▲ Claude Code suddenly injects Minecraft content completely unrelated to the current task. Source: GitHub Issue #74066
He had never discussed Minecraft with the AI. He searched every local conversation log — no trace of “temple” or “bricks.” Stranger still, the same phenomenon appeared on Claude’s mobile app: the AI abruptly started talking about interior decorating and triptychs while he was simply working with a spreadsheet.
Disturbing enough on its own. But what propelled this to the front page of Hacker News with 260 points was the flood of corroborating reports that surfaced in the discussion — and they weren’t limited to a single company.
Not Just Claude
One widely-cited comment came from an anonymous user who claimed to use AI services from multiple companies extensively and had personally witnessed “session cross-wiring” at least twice: once involving a Claude model and once involving a GPT model, from two different providers — both trillion-dollar tech giants.
One of those companies provided a detailed post-mortem: the problem traced to the API gateway (essentially the “switchboard operator” for AI services) mishandling HTTP’s 100 Continue status code. In simplified terms, the gateway made an off-by-one error when numbering requests — your question received the previous user’s answer, and your answer was delivered to the next person who asked a question.
The other company declined to explain the cause, leaving only a terse “trust us, it won’t happen again.”
Other users reported seeing strangers’ links and files when using AI models through third-party platforms. Another mentioned that Claude once volunteered a location detail that only his friend would know — that friend happened to be using Claude in the same office.
How Did This Happen?
If you want the one-sentence version: To make AI faster and cheaper, multiple companies built shared infrastructure pathways — and those pathways sometimes deliver to the wrong address.
There are three layers to understand.
Layer 1: HTTP Request Smuggling — Misdelivered Packets at the Network Level
When you send a request to a website, your browser and the server communicate via HTTP. The protocol seems simple, but it’s fiendishly complex in practice — especially when one server handles thousands of simultaneous users. To improve efficiency, servers multiplex multiple users’ requests onto a single connection.
The problem arises when the data packets from two users get “glued together” — for instance, because the header length markers are miscalculated — and the server routes A’s response to B. In cybersecurity, this has a name: HTTP Request Smuggling.
Security researcher James Kettle has demonstrated variants of this attack at DEF CON for years. His most recent talk was titled: “HTTP/1.1 Must Die” — because only a full migration to the stricter HTTP/2 protocol can structurally eliminate this class of vulnerability. The irony: six years after his first demonstration, trillion-dollar companies in 2026 are still getting burned by the same flaw.
Layer 2: KV Cache Sharing — The Risk of a “Shared Scratchpad”
When large language models process conversations, they dynamically maintain something called a KV cache. Think of it as the AI’s “scratch paper” — during inference, the model saves previously computed results on that paper, so when it encounters a similar prompt prefix, it can reuse the cached work and save enormous amounts of compute.
For AI providers, this optimization is extremely tempting. If they can detect that multiple users are using the same “system prompt” (for instance, the built-in generic instructions in Claude Code when it launches), those users can share a single cache. That translates to significant cost savings.
But here’s the catch: caches are retrieved by key. If the key-generation function has a bug, if cache eviction isn’t timely, or if different users’ data somehow lands in the same slot — fragments of User A’s conversation can end up served as User B’s cache. As one HN commenter noted, “moving user-specific content out of the system prompt and into the first user message” is a common mitigation, but it’s an engineering practice, not an architectural guarantee.
Layer 3: The Structural Tension Between Speed and Security
Both of these issues point to the same deep tension: the tug-of-war between AI companies’ pursuit of low latency (more caching, shared connections) and user privacy (strict isolation).
This isn’t a moral judgment — it’s a tradeoff at the level of physics. An AI service that shares no caches at all is extremely expensive; every message must be computed from scratch, potentially multiplying costs many times over. An AI service that optimizes aggressively at every layer inevitably shares infrastructure across users, which creates the conditions for cross-wiring.
As one highly-upvoted HN comment put it: “There are massive incentives to optimize the hell out of this, so I expect they’re doing tons of extremely clever tricks — and the cleverer the tricks, the more likely this kind of bug.”
More Than Just “Hallucination”
Some have raised a reasonable objection: could this just be AI “hallucination” — the model fabricating Minecraft content out of thin air rather than actually leaking someone’s data?
It’s a fair question. AI models do confabulate frequently. But in this case, several details make the hallucination explanation hard to sustain.
First, the reporter searched all local conversation logs and confirmed the words “temple” and “bricks” appeared nowhere (except in an unrelated file called minecraft.py inside a Python syntax highlighting library). That doesn’t square with the model picking up on a word from the current conversation and spinning off on a tangent.
Second, the same user experienced a similar phenomenon repeatedly on a different device (the mobile app) — the AI suddenly pivoting to completely unrelated topics (interior decorating), and precisely at the threshold of a cache miss (more than 5 minutes since the last interaction). It’s probabilistically difficult to explain this as independent hallucination events.
Most importantly, multiple users across different companies corroborated similar experiences in the HN discussion, with one receiving a formal incident report. Together, these point to a systemic issue, not an occasional model behavior.
To be fair, the reporter on the GitHub Issue cannot currently confirm with 100% certainty the real source of the leak — whether from a colleague or a stranger. That’s precisely what makes this class of bug so insidious: it can be felt but is extremely difficult to prove definitively.
What Does This Mean for Regular Users?
If you’re only chatting with AI on messaging apps, asking for recipe ideas or writing tips, the direct impact is probably minimal — your conversations don’t contain sensitive information, so even a cross-wired session would be harmless.
But if you or your company are applying AI to scenarios involving trade secrets, medical records, legal documents, or financial data, the signal here is worth paying attention to. It suggests that current AI service infrastructure, when it comes to multi-tenant isolation, has not yet reached the standard expected of enterprise-grade security products — even the paid enterprise tier.
In the HN discussion, pocksuppet, who originally brought up HTTP request smuggling, was blunt: “Every time you multiplex multiple client requests onto a single upstream connection, you’re likely vulnerable.” The problem extends far beyond this one specific bug — it points to an inherent fragility across the entire internet infrastructure stack. AI services just happen to have exposed it at a more sensitive layer.
Coda
As of this writing, Anthropic has not issued a formal statement. The GitHub Issue remains open, tagged “bug” and “area:security.” The HN discussion continues to grow, with more eyewitnesses adding similar accounts.
This incident hints at a broader blind spot in the AI industry: while everyone is sprinting to improve model capabilities and racing to drive inference costs to zero, the most basic question — are different users actually safely isolated from one another? — has been pushed to the bottom of the priority list.
One detail from the HN comments stuck with me: when pressed, one of the trillion-dollar companies simply said, “trust us.” At the other company — the one that provided a thorough post-mortem — the root cause was just one thing: an off-by-one error.
Reference links: