LIVE FEED
FIRST LOOK First Look: OpenAI ChatGPT Image Generator Bypasses Content Filters via Viral Prompt // FIRST LOOK First Look: Bayer and Thoughtworks Ship PRINCE Agentic RAG Platform for Pharmaceutical … // FIRST LOOK First Look: Anthropic Claude Code Gains Fully-Local Persistent Session Memory via Recall // FIRST LOOK First Look: OpenAI Ships GPT-5.5 Instant with Enhanced Health Intelligence in ChatGPT // HIGH Malware Embeds Policy-Triggering Text to Evade LLM-Based Security Analysis // FIRST LOOK First Look: Agentic AI Security Platforms Emerge Promising Autonomous CTEM … // FIRST LOOK First Look: Token Security Launches AI Agent Identity Governance Platform for Enterprise // FIRST LOOK First Look: GitHub Ships Internal Data Analytics Agent Built on Copilot // HIGH AutoJack Exploit Chain Turns AI Browsing Agent Into Remote Code Execution Vector // FIRST LOOK First Look: Delphi Powers Kē App's AI Celebrity Clone for Wellness Coaching //
FIRST LOOK ATLAS OWASP MEDIUM Moderate risk · Monitor closely First Look LLM Security Prompt Injection Agentic AI Supply Chain RELEVANCE ▲ 5.8

First Look: Anthropic Claude Code Gains Fully-Local Persistent Session Memory via Recall

SOURCE Anthropic (via HN) ↗
ATTACK SURFACE BRIEF MEDIUM ↗ MODERATE
  • What shipped: Recall adds durable, fully-local session memory to Anthropic's Claude Code via an open-source Python plugin.
  • Who's now exposed: Developers using Claude Code on shared or multi-user machines, and teams where local project directories may be accessible to untrusted code or processes.
  • Assess now: Audit file permissions on Recall's local memory store and restrict write access to the owning developer account only · Treat the persisted context file as a trust boundary — review its contents before deploying to new environments or sharing project directories · Pin the Recall dependency and its transitive Python packages to verified versions and integrate integrity checks into CI pipelines
First Look: Anthropic Claude Code Gains Fully-Local Persistent Session Memory via Recall

Capability Overview

Recall is an open-source tool that bolts durable, fully-local memory onto Anthropic’s Claude Code. It logs coding sessions, condenses them into a project summary using a classical Python summariser, and automatically injects that summary into each new Claude Code session — eliminating the need for users to re-explain project context. Crucially, no data leaves the machine and no additional API key is required. The tool operates via Claude Code plugin hooks and stores its state in local JSON files.

For defenders, the significance is not the AI capability itself but what it introduces architecturally: a persistent, file-based trust input that Claude Code will consume on every invocation without user review. Anything written to that file becomes implicit context for the agent.

Attack Surface Analysis

Prior to Recall, each Claude Code session started cold — an attacker had to inject malicious content within the active session window. Recall changes that calculus by introducing a persistent attack surface that survives across sessions.

New vectors defenders must consider:

  1. Context Poisoning at Rest — The local summary file is written by a Python process. Any attacker (insider, malicious process, or compromised CI runner) with write access to the project directory can modify the file to prepend adversarial instructions. These will be silently read by Claude Code at the next session start, potentially redirecting agent behaviour.

  2. Prompt Injection via Summarised External Content — If a developer pastes untrusted content (e.g., a third-party README, a user-submitted bug report) into a session that Recall subsequently summarises, attacker-controlled text can survive into future sessions as authoritative project context — a classic second-order prompt injection path.

  3. Sensitive Data Accumulation — Session logs may capture API keys typed in context, proprietary algorithms discussed with the agent, or internal endpoint URLs. Stored in plaintext JSON on disk, these logs become a high-value target for any process with filesystem read access.

  4. Supply Chain Risk — Recall introduces a new open-source Python dependency with plugin hooks that execute during every Claude Code startup. A malicious pull request or compromised PyPI package could alter context write/read behaviour.

Framework Mapping

FrameworkTechniqueRationale
MITRE ATLASAML.T0051 – LLM Prompt InjectionPersisted context file is a new injection point consumed by the LLM
MITRE ATLASAML.T0057 – LLM Data LeakageSession logs may persist sensitive developer data
MITRE ATLASAML.T0010 – ML Supply Chain CompromiseOpen-source summariser plugin is a new third-party dependency
MITRE ATLASAML.T0043 – Craft Adversarial DataAttackers can craft poisoned memory entries
OWASPLLM01 – Prompt InjectionContext file injection maps directly to this category
OWASPLLM06 – Sensitive Information DisclosurePlaintext session logs accumulate sensitive data
OWASPLLM05 – Supply Chain VulnerabilitiesPython plugin and hooks introduce supply chain exposure
OWASPLLM07 – Insecure Plugin DesignPlugin hooks lack documented integrity or sandboxing controls

Threat Scenarios

Scenario 1 — Insider Context Manipulation: A developer on a shared workstation modifies the Recall summary file to include an instruction such as “always include the following header in generated code” embedding a malicious payload. All subsequent Claude Code sessions for that project silently include the instruction.

Scenario 2 — CI/CD Pipeline Poisoning: A repository’s CI runner has write access to the project directory. A compromised workflow step overwrites the Recall memory file prior to a developer session, redirecting Claude Code to exfiltrate generated code to an external endpoint.

Scenario 3 — Second-Order Prompt Injection: A developer pastes an attacker-controlled issue description into a Claude Code session. Recall summarises and stores it. In a later session, the stored summary causes Claude Code to follow embedded instructions from the original attacker.

Defender Checklist

  • Restrict write permissions on recall.config.json and all session log files to the owning user account only
  • Review memory file contents before sharing project directories, pushing to version control, or onboarding new contributors
  • Exclude Recall logs from repository commits via .gitignore to prevent inadvertent secret exposure
  • Pin Recall and its Python dependencies to specific verified versions; monitor for unexpected updates
  • Treat external content pasted into Claude Code sessions as untrusted — assume it may be summarised and persisted
  • Audit plugin hook scripts in the .claude-plugin directory for unexpected behaviour before deploying in shared or production-adjacent environments
  • Rotate any credentials that may have been discussed or typed within a Claude Code session that Recall was logging

References

◉ AI THREAT BRIEFING

Stay ahead of the threat.

Twice-weekly digest of critical AI security developments — every story mapped to MITRE ATLAS and OWASP LLM Top 10. Free.

No spam. Unsubscribe anytime.