A developer's GitHub report of "cross-workspace session leakage" in Claude Code v2.1.199 is starting to look less like a security breach and more like a textbook LLM hallucination. The likely culprit is sitting in a Python virtual environment: a Pygments syntax file called minecraft.py that the agent read out of a tool result earlier in the session.
The original bug report, filed against an Enterprise ZDR workspace, describes an agent that spontaneously pivoted to asking what kind of bricks the user wanted for a Minecraft temple, then summarized the session as a Minecraft build. The author reasonably asked whether another workspace's session had bled into theirs.
The author's own follow-up on the Hacker News thread supplies the more plausible mechanism. A tool call earlier in the session had listed files inside a Python venv, and that listing included the Pygments package's minecraft.py syntax lexer. LLMs will sometimes latch onto incidental tokens in tool output and weave them into the next turn. A filename suggesting a sandbox game is exactly the kind of hook that takes over a drifting agent.
Two features of the reporter's setup make that hallucination more likely than it would be in a vanilla session. The session was launched in one directory (with a .claude context the user wanted loaded) while the actual work happened in another. At some point the agent compacted its conversation, forgot that constraint, and started working in the launch directory. Split work directories and context compaction are both classic hallucination accelerants, because they force the model to reconcile partial instructions with whatever happens to be in the surrounding tool output.
The cache TTL nerf is a different phenomenon. Anthropic's April 23 engineering postmortem addresses a recent wave of Claude Code quality regressions, and XDA Developers reported that Anthropic reduced Claude Code's one-hour prompt cache TTL around late June, with knock-on effects on token budgets. A shorter cache TTL can look like "something changed under the hood about caching" to a user reasoning about why a session misbehaved, but it does not move text from one workspace into another. Treating the two as one story obscures the actual diagnostic question: was the agent's behavior produced by a security boundary failure, or by a model reasoning over a confusing context?
The Pygments package's standard distribution does include a Minecraft lexer, per the OP's venv listing on Hacker News, so the seed token is a real file rather than a phantom. The remaining question is whether Anthropic's cache infrastructure ever surfaced a sibling session's prompt into this user's tool output, which the public record does not support. Anthropic has not commented on issue #74066. The Feedback ID f336f5d2-3992-4a04-9e1f-ec30f006f75e is the only identifier in the report.
Enterprise ZDR (Zero Data Retention) and consumer-plan session isolation are different security properties. The bug report was filed against a ZDR workspace, configured so that prompts and outputs from that workspace are not retained. Nothing in the public receipts suggests consumer traffic reached a ZDR workspace, or that a ZDR workspace leaked into a consumer session. The hypothesis on the table is a hallucination inside a single authenticated session, not a boundary failure.
The separate six-month saga Alex Zanfir documented, in which a Claude Code agent reportedly chased a cache bug across many turns, is a useful historical analogue. Long, compacted, tool-heavy sessions are where these drifts show up.
The next two signals to watch are an Anthropic staff comment on issue #74066, and any subsequent report that shows the same Minecraft-themed drift without a Minecraft-related file anywhere in tool output. Either would shift the weight back toward a real cache or session boundary problem.