Claude Code Incidents — June 2026: what silently broke, and the one-line fixes

Using Claude Code in real work, the scary failures are rarely loud. They look like success — and the damage is found later. This is a roundup of the Claude Code incidents reported in June 2026 (via GitHub issues) in the categories that actually hurt: data quietly lost, cost running away, and a safety assumption breaking without a sound. Each item is short: what happens, and one first move you can make. From this month on, I'll collect these once a month.
Where I saw an incident only through someone else's issue, I write it as reported; where I verified the mechanism or the fix myself, I state it plainly.
A folder with a non-ASCII name made two projects' histories collide and vanish (#70674). When the session-storage folder name is built, non-Latin characters are all flattened to hyphens. Two different folders with the same length collapse to the same storage path, and claude project purge can delete an unrelated project's records. → Start from a path whose folder name is ASCII. Check for collisions with ls -1 ~/.claude/projects/ | grep -- '--' before purging.
Moving or renaming a project folder made the whole conversation history disappear (#70470). No dangerous command — just moving the folder — and the history is gone, because storage is keyed to the path. → It's usually still on disk. If you noted the old↔new folder mapping, you can recover it.
"Add a section" replaced the entire file (#67917, still discussed in June). The write tool runs as full-replace, not append, so files outside git get wiped. → Keep important files in git. Diff after every change.
A "benign" stop command took out 27 unrelated processes (#72153). pkill -f "node server.js" -f 8788 — meant to kill one dev server — over-matched and killed Signal, Slack, Chrome and more, because the stray -f became a substring pattern matching nearly every Electron app. The blast radius is invisible in the command text, which is exactly why the classifier let it through. → Target by port instead: lsof -ti tcp:8788 | xargs kill. If you must use pkill -f, preview with pgrep -f first and pass one pattern after --.
/compact made costs go up (#70459). Auto-compaction running twice, so the "save tokens" move burns more. → Watch token spend across a compaction; check it isn't rising.
A backgrounded task looked "done" while still burning quota. It appears finished, but a background subagent keeps billing. → Stop background work explicitly. Don't trust the "done" line.
The model decided it was "prompt-injected," wrote that into auto-memory, and re-triggered it every session (#70525). Auto-written memory persists false beliefs as faithfully as true ones. → Periodically audit strong "never do X" memories for real grounding. A genuine injection shows up in the transcript as a user-role turn.
A protection you set as "don't touch this path" silently slipped through a symlink (#71072). Path matching is done on the string and doesn't resolve to the real path, so a symlink into a protected directory bypasses both deny rules and path-based rules — with no error. → Enforce the operations you really care about in a PreToolUse hook that resolves realpath first, not in string rules.
CLAUDE.md said "confirm before commit/push," but git push ran with no confirmation (#72187). The instruction file is advisory; once the model reasons "the milestone is done, pushing is the natural next step," it overrides it, and an irreversible remote action runs. → Enforce confirmation for irreversible operations in a PreToolUse hook, which fires below the model's judgment.
The model said "done" while the tool call was emitted as plain text and never executed (#72180). A tool call leaks out as body text; the harness sees a normal end-of-turn, so nothing ran but the task looks complete. Low-frequency, silent. → Don't trust "done" at face value — verify on disk (git status, file mtimes, list the contents). Re-prompting usually makes it execute.
What June's incidents share: they happen with no error and no warning. So "being careful" doesn't prevent them. What does is concrete habits and settings — knowing how storage paths are named, looking at the target before an irreversible operation, auditing what gets auto-written to memory.
I keep a free set of prevention hooks at cc-safe-setup (MIT) — npx cc-safe-setup --shield installs the guards that sit in front of the irreversible operations above.
One more thing worth saying out loud: the incidents above are Claude Code's, but this failure shape — a destructive step runs before a confirmation gate, on a premise that silently failed — is not unique to Claude. It has played out across Cursor, Codex, Gemini CLI, and Copilot too. A one-time, single-tool book can't keep up with that. If you run more than one agentic coding tool and want the cross-tool version of this digest — June's incidents and prevention across every agent, refreshed monthly — that's what the $5/mo membership is for. This monthly Claude Code digest stays free; follow me here to catch next month's.