Claude Code VS Code Extension Leaks Selection State Across Closed Files and New Sessions

A Reddit user (u/SportSpecialist2536) reports a serious data leak bug in the Claude Code VS Code extension. Selection state from a file persists after the file is closed and can be accessed by a new claude CLI session, including selections made only for clipboard copy-paste — not for AI context.
Repro Steps
- Open any file in VS Code with the Claude Code extension installed.
- Select two lines with recognizable values (e.g.,
FOO=abc/BAR=def). - Close the file tab.
- Open a different file.
- Open a terminal in the same VS Code window and run
claude(no flags). - Ask: "what file is open in my IDE?"
- Observe if it reports content from the file you closed in step 3.
The Incident
The user selected two lines in .env.production.local to copy a Supabase service-role key into a dashboard. After closing the file and opening an unrelated TypeScript file, a fresh claude session reported the previously-selected lines — including both the publishable key and the service-role key. The IDE bridge cached the selection past file close and served it to a session that should have been a clean slate. Keys were rotated immediately.
Setup Details
- OS: Windows 11
- Claude Code CLI: 2.1.138
- VS Code extension: 2.1.140
- Terminal: PowerShell in integrated terminal
The user filed a GitHub issue with full details: #58886. They specifically ask macOS/Linux users to try the 60-second repro to confirm if the bug is Windows-specific. A quick "reproduced on [OS]" comment on the issue helps triage.
The narrower bug (selection persisting past file close) seems independently fixable from the larger "should IDE auto-attach be opt-in" question in issue #24726 (open since February).
📖 Read the full source: r/ClaudeAI
👀 See Also

Configuring OpenClaw for Encrypted LLM Inference Using TEE Enclaves
A developer shares how they configured OpenClaw to use Onera's AMD SEV-SNP trusted execution environments for end-to-end encrypted LLM inference, including configuration examples and technical tradeoffs.

OpenObscure: Open-Source On-Device Privacy Firewall for AI Agents
OpenObscure is an open-source, on-device privacy firewall that sits between AI agents and LLM providers. It uses FF1 Format-Preserving Encryption with AES-256 to encrypt PII values before requests leave your device, maintaining data structure while protecting privacy.

Tool Authority Injection in LLM Agents: When Tool Output Overrides System Intent
A researcher demonstrates 'Tool Authority Injection' in a local LLM agent lab, showing how trusted tool output can be elevated to policy-level authority, silently changing agent behavior while sandbox and file access remain secure.

Local Model Prompt Injection Scanner for AI Skills Security
A proof-of-concept tool scans third-party AI skills for hidden bash command injections using a local non-tool-calling model like mistral-small:latest on Ollama, addressing security vulnerabilities in Claude Code's ! operator feature.