A security researcher has documented how Claude Code's local memory system can be exploited through prompt injection - where malicious text in your project environment tricks the AI into storing and acting on instructions it shouldn't.
Claude Code, Anthropic's AI coding assistant that runs in your terminal, stores notes about your projects in local files between sessions. This persistence is a core feature: the tool remembers your codebase structure, your preferences, and past decisions so you don't have to re-explain context every time you open a new session. The security risk comes from that same persistence.
The Core Problem
Prompt injection is what happens when text in your environment tricks an AI into following instructions embedded in that text rather than treating it as data. In Claude Code's case: if a malicious file exists anywhere in your project - a manipulated README, a crafted config entry, a poisoned comment in a dependency - Claude Code can read it during a session, extract embedded instructions, and write them into its local memory files.
Unlike a chat session that resets when you close the browser, Claude Code's memory files persist on your machine indefinitely. They're present next session, and the one after that, quietly shaping how the tool behaves. The researcher's framing - "you can verify it yourself" - is the useful part: Claude Code's memory files are plain text on your filesystem. Reading them directly shows exactly what the tool has stored about your project and whether anything unexpected has made its way in.
There's no patch from Anthropic as of April 2026. If you use Claude Code on shared repositories, client code, or open-source projects where you don't control every file, the practical mitigation is straightforward: periodically review the memory files Claude Code creates and maintains. Treat them as you would any local configuration file that shapes tool behavior - because that's exactly what they are.
This isn't unique to Claude Code. Any AI coding assistant that reads project files and maintains persistent local state faces some version of this risk. But Claude Code's memory system is more aggressive about retention than most, which makes it more useful and also more worth auditing.