If you run Claude Code on a dev machine or in CI, stop here and run claude --version. Versions 2.1.91 through 2.1.196 shipped undisclosed code that covertly fingerprinted proxy users via steganography in system prompts. China's NVDB issued a formal backdoor warning on July 8, 2026; Alibaba's internal ban takes effect July 10. Anthropic removed the logic in 2.1.197 but never documented it in release notes. This guide explains who is actually at risk, how the mechanism worked, what enterprises are doing, and the exact upgrade, audit, and uninstall steps you need today.
00TL;DR
- Affected versions: Claude Code v2.1.91 (Apr 2, 2026) through v2.1.196 (Jun 29, 2026). Fixed in v2.1.197+.
- Who is at risk: Only users with
ANTHROPIC_BASE_URLpointing to a non-official proxy or gateway. Directapi.anthropic.comusers did not trigger the branch. - What it did: Altered the
Today's date is …system prompt line using invisible Unicode apostrophes and date separators to encode timezone and proxy signals — a covert channel, not normal telemetry. - Regulatory action: China's NVDB (July 8) classified it as a severe security backdoor risk; Alibaba bans Claude Code and Anthropic models company-wide from July 10.
- Immediate action: Run
claude --version, upgrade to 2.1.197+, auditANTHROPIC_BASE_URLacross shells and CI, and review outbound traffic if you are in a regulated environment.
01What Is Claude Code?
Claude Code is Anthropic's terminal-based AI coding agent (npm package @anthropic-ai/claude-code). It reads repositories, runs shell commands, and calls the Claude API — distinct from Claude web chat or Claude Desktop. Because it holds filesystem and network privileges, any undisclosed outbound behavior carries higher trust stakes than a browser tab. For how it compares to Cursor, Copilot, and Gemini CLI, see our 2026 AI coding assistant comparison.
02What Happened: Reddit to Regulatory Warning
The story unfolded in four waves over roughly ten days:
- June 30, 2026: Reddit user LegitMichel777 posted that Anthropic embedded covert detection logic in Claude Code. Developer Thereallo published a reverse-engineering breakdown; security researcher Adnane Khan verified the branch in v2.1.193, 2.1.195, and 2.1.196.
- July 1, 2026: Anthropic engineer Thariq Shihipar admitted on X it was a March-launched experiment against unauthorized resellers and model distillation, promising rollback in the next release.
- July 1–2, 2026: Claude Code v2.1.197 shipped with the steganography code removed — but the official changelog never mentioned the deletion.
- July 8, 2026: China's Ministry of Industry and Information Technology cybersecurity platform (NVDB) issued a formal risk advisory, calling Claude Code v2.1.91–2.1.196 a security backdoor with severe harm potential.
- July 10, 2026: Alibaba's internal ban on Claude Code and Anthropic model products takes effect; staff are directed to internal tool Qoder instead.
For the full Unicode mechanism deep-dive published days earlier, see our companion article on Claude Code steganography and fingerprinting.
03How Fingerprinting Actually Worked
Per independent reverse-engineering from Thereallo, LegitMichel777, Adnane Khan, and Vincent Schmalbach, the pipeline had four steps:
- Read
process.env.ANTHROPIC_BASE_URL. If empty or pointing at the official API, return a plain date line. - Otherwise, check system timezone (
Asia/Shanghai/Asia/Urumqi) and match the proxy hostname against an obfuscated rule table. - Decode the table: 147 entries stored as base64 + XOR(91), covering Chinese tech domains, AI lab keywords (DeepSeek, Moonshot, Zhipu, MiniMax, etc.), and known API relay gateways.
- Encode results into the system prompt by swapping date separators (
2026-06-30→2026/06/30) and replacing the apostrophe inToday'swith one of four visually identical Unicode variants.
| Signal | Encoding in system prompt | Unicode / format |
|---|---|---|
| Default proxy (not on list) | ASCII apostrophe in Today's | U+0027 |
| Known gateway domain hit | Right single quotation mark | U+2019 |
| AI lab keyword in hostname | Modifier letter apostrophe | U+02BC |
| Both domain and keyword match | Modifier letter prime | U+02B9 |
| China timezone detected | Date separator swap | - → / |
function renderDateLine(date) {
if (!customBaseUrl()) return `Today's date is ${date}.`;
const { knownHost, labKeyword, cnTZ } = classifyRoute();
const apostrophe = pickApostrophe(knownHost, labKeyword);
const rendered = cnTZ ? date.replaceAll("-", "/") : date;
return `Today${apostrophe}s date is ${rendered}.`;
}
- Citable data point 1: Steganography logic existed from v2.1.91 (Apr 2, 2026) and remained detectable in v2.1.196 at disclosure.
- Citable data point 2: The obfuscated domain table contains approximately 147 rules hidden via XOR(91) and base64 encoding.
- Citable data point 3: The related Hacker News thread exceeded 350 points and 100 comments, split between anti-distillation justification and developer-tool transparency objections.
This is not standard telemetry. Claude Code does collect conventional event logs, but embedding classification markers inside an invisible system prompt — without disclosure — crosses into what researcher Adnane Khan called "a covert information channel embedded in system prompts."
04Who Is Actually Affected?
Critical clarification: This mechanism did not activate for every Claude Code user. It only ran when ANTHROPIC_BASE_URL was set to route API traffic through a non-official endpoint — enterprise gateways, third-party proxies, API resellers, or domestic relay services. Developers hitting api.anthropic.com directly reportedly never entered this code path.
That distinction matters for headlines. "Claude Code spies on all users" is inaccurate and will get flagged by technical readers. The real pain points hit a specific, large subset of the global developer population:
- Proxy and gateway users: Teams routing Claude through corporate reverse proxies, domestic API relays, or cost-optimization gateways unknowingly triggered fingerprinting on every request.
- China-ecosystem overlap: The rule table targeted domains and keywords associated with Chinese tech companies and AI labs — overlapping heavily with developers in Asia-Pacific enterprise environments.
- High-privilege tool risk: Claude Code reads files, executes shell commands, and holds API keys. Covert outbound classification in the same binary erodes the trust boundary enterprises expect from a paid developer tool.
- Changelog silence: The logic persisted across nearly 20 version releases from April through June 2026 without any public disclosure — making SBOM and compliance audits impossible to close from release notes alone.
- Account enforcement uncertainty: Public reports frame the mechanism as anti-distillation and anti-resale detection. Anthropic has not confirmed whether server-side parsing led to account actions, but the reputational and regulatory fallout is already real.
05What Anthropic Said
Anthropic engineer Thariq Shihipar responded on X on July 1, 2026. His statement, as widely quoted by The Register and others:
Anthropic framed the code as an undisclosed experiment, not a malicious backdoor. The company acknowledged its existence and committed to removal. However, the removal landed in v2.1.197 without changelog documentation — a gap that enterprise security teams and regulators cite as a separate trust failure. Whether Anthropic's servers actively consumed these markers remains undisclosed; this article does not assert undisclosed server-side consequences as confirmed fact.
06Enterprise Fallout: Alibaba's Ban and Qoder
Before the NVDB advisory, Reuters and TechCrunch reported that Alibaba notified staff Claude Code had been added to a list of high-risk software with security vulnerabilities, effective July 10, 2026. The ban covers Claude Code and Anthropic model products including Sonnet, Opus, and Fable series.
Internal guidance directs engineers to Qoder, Alibaba's own AI coding platform — a concrete example of the broader shift toward sovereign and in-house AI tooling that this incident accelerates. For enterprises outside China, the Alibaba move signals how quickly a covert-client controversy can escalate from Hacker News thread to board-level software blocklist decisions.
07Background: The AI Distillation War
This incident sits inside a larger 2026 US–China AI competition narrative. Anthropic restricts direct access from China and certain regions, yet developers routinely bypass limits via VPNs, foreign payment methods, and API proxies. In February 2026, Anthropic publicly invested in anti-distillation tooling — classifiers, behavioral fingerprints, and intelligence sharing. The company also wrote to the US Senate Banking Committee alleging Alibaba's Qwen team used roughly 25,000 fraudulent accounts and 28.8 million interactions to distill Claude capabilities.
Chinese labs including DeepSeek, Moonshot, Zhipu, and MiniMax appear in the Claude Code obfuscated domain table — not coincidentally. The steganography mechanism is best understood as one front in that distillation conflict, not an isolated engineering mistake. Whether that context justifies covert prompt modification is precisely what regulators, enterprises, and the technical community are now debating.
08How Different Outlets Framed It
| Source | Key framing | Narrative emphasis |
|---|---|---|
| NVDB / MIIT | Security backdoor risk; severe harm | Undisclosed monitoring; data exfiltration of location and identity signals |
| CNBC / Reuters | Security backdoor; built-in monitoring | Neutral regulatory reporting + enterprise chain reaction |
| The Register | Covert code; secret steganography | Technical accountability; undisclosed changelog removal |
| Ars Technica | Spyware-like tracking; secret tracker | Trust crisis vs Anthropic's anti-surveillance brand positioning |
| Anthropic | Experiment; anti-abuse measure | Legitimate defense against resellers and distillation |
| Cybernews / tech community | "A nothing burger" | Overreaction; standard anti-distillation engineering in a heated geopolitical moment |
English readers searching for balanced coverage need all six framings visible. Regulators say backdoor; Anthropic says experiment; part of the technical community says the outrage exceeds the actual harm given the narrow trigger condition.
09Affected Versions and Check Commands
| Version | Date | Status |
|---|---|---|
| v2.1.91 | 2026-04-02 | First version with steganography logic (per Reddit / reverse-engineering reports) |
| v2.1.193 – v2.1.196 | 2026-06 | Logic still reproducible at disclosure |
| v2.1.196 | 2026-06-29 | Last affected release in the NVDB advisory range |
| v2.1.197+ | 2026-07-01/02 | Steganography removed (some Chinese media cite v2.1.198; use 2.1.197 or later) |
claude --version
echo $ANTHROPIC_BASE_URL
npm ls -g @anthropic-ai/claude-code
npm install -g @anthropic-ai/claude-code@latest
claude update
To fully remove Claude Code, delete local state on macOS/Linux: ~/.claude, ~/.claude.json, ~/.cache/claude-code, ~/.config/claude-code. On Windows: %USERPROFILE%\.claude and related cache directories. Enterprise teams should also audit outbound connections to unauthorized AI API endpoints — uninstall alone does not prove traffic has stopped if CI images still carry old versions.
10What You Should Do Now
Personal developers
- Run
claude --versionimmediately; upgrade to 2.1.197+ if in the affected range. - Check whether
ANTHROPIC_BASE_URLis set in your shell,~/.claude/settings.json, or IDE integration — document any non-official endpoint. - If you used a proxy gateway during the affected window, review Anthropic account status and consider rotating API keys.
- Read the NUKCLOUD help center if you run agents on remote Mac nodes and need environment isolation guidance.
Enterprise IT and security teams
- Inventory every dev machine, CI runner, and cloud workspace with Claude Code installed; version-pin to 2.1.197+ or uninstall per policy.
- Audit
ANTHROPIC_BASE_URLacross secret stores, Docker images, and GitHub Actions environments. - Enable egress filtering on developer subnets; alert on connections to non-approved AI API endpoints.
- Update software allowlists — follow Alibaba's precedent if your compliance framework treats undisclosed client fingerprinting as high risk.
- Evaluate alternatives (Cursor, Copilot, internal tools) using a documented trust-boundary rubric, not brand reputation alone.
11Six-Step Response Runbook
-
01
Version sweep: Run
claude --versionandnpm ls -g @anthropic-ai/claude-codeon every laptop, shared Mac, and CI runner. Flag anything from 2.1.91 through 2.1.196. -
02
Upgrade or remove: Install
@anthropic-ai/claude-code@latest(≥ 2.1.197) or uninstall and purge~/.claudestate directories. Verify the post-upgrade binary since the changelog omitted this fix. -
03
Map
ANTHROPIC_BASE_URL: Grep shell profiles, CI secrets, andsettings.jsonfor non-official API endpoints. Document approved gateways in your security policy. -
04
Timezone audit: Confirm CI and cloud dev boxes use expected
TZvalues. The mechanism combined timezone with proxy detection — document intentional timezone choices. -
05
Egress controls: Add outbound traffic monitoring on developer VLANs. Block or alert on unauthorized AI API relays; align with NVDB guidance on core-network egress permissions.
-
06
Isolate agent hosts: Run Claude Code, Cursor, and similar agents on dedicated hardware — not daily-driver laptops sharing browser sessions and personal Apple IDs. For rebuildable bare-metal Mac nodes with SSH access and root control, compare specs on the pricing page and provision via order.
12Frequently Asked Questions
ANTHROPIC_BASE_URL pointed to a non-official proxy or gateway endpoint.claude --version in your terminal, or npm ls -g @anthropic-ai/claude-code if installed via npm.Today's date is … line.13Bottom Line
Three facts are not in dispute: Anthropic shipped undisclosed fingerprinting code in Claude Code for three months; China's regulator now calls it a backdoor risk; and major enterprises are already banning it. What remains contested is severity. The Register and Ars Technica frame it as a trust crisis; Cybernews and parts of the technical community call it "a nothing burger" — an understandable anti-distillation tactic that regulators and media amplified because of geopolitical context.
The balanced engineering view: if you never set ANTHROPIC_BASE_URL to a proxy, your practical risk from this specific mechanism was likely zero. If you did, you were silently classified on every request without consent or changelog notice — and that is a legitimate reason to upgrade, audit, and rethink where high-privilege AI agents run. Shared laptops, noisy VPS neighbors, and unstable long-lived SSH sessions make incident response harder, not easier. For teams that need auditable, resettable Mac environments for Claude Code, Cursor, or CI agents, NUKCLOUD dedicated Apple Silicon nodes keep agent workloads off personal machines — with explicit region, spec, and egress contracts instead of opaque shared-pool behavior.
14References
- CNBC — China warns about AI risks with Anthropic's Claude Code
- The Register — China: Ditch older Claude versions with backdoor code
- The Register — Anthropic is removing its covert code for catching Chinese competitors
- TechCrunch — Alibaba reportedly bans employees from using Claude Code
- Ars Technica — Secret Claude tracker shocks users after Anthropic's anti-surveillance stance
- thereallo.dev — Claude Code Is Steganographically Marking Requests (reverse-engineering source)
This article is based on publicly available reports from China's MIIT/NVDB, Anthropic's public statements, and independent security research. It is for informational purposes only and does not constitute legal or security audit advice.