TL;DR: This article covers the terminal tool Claude Code (npm package @anthropic-ai/claude-code), not Claude web chat. According to reverse-engineering reports, when ANTHROPIC_BASE_URL is set to anything other than api.anthropic.com, the client makes invisible Unicode and date-format tweaks in the Today's date is … system prompt line—reportedly for anti-distillation and unofficial-route detection. The logic was removed in 2.1.197 (2026-07-01) but the official changelog never mentioned it. For developers and tech leads running Claude Code, Cursor, Copilot, or similar desktop/terminal agents, we separate two independent 2026 controversies (April Desktop Native Messaging vs June steganography), provide a mechanism table, a six-step defense runbook, vendor trust principles, and FAQ. If you are evaluating 2026 AI coding assistant options, treat this as a supplement on terminal agent trust boundaries.
00Anthropic's 2026 Trust Crisis: Two Events, Not One
In the first half of 2026, Anthropic triggered back-to-back privacy and security controversies across its desktop client and terminal coding agent product lines. The community often bundles both under "Claude spyware," but the trigger mechanisms, blast radius, and remediation paths differ completely. The table below is the Event A / Event B split you should run before writing a runbook or internal advisory.
| Dimension | Event A: Claude Desktop Native Messaging (April 2026) | Event B: Claude Code System Prompt Steganography (disclosed June 30, 2026) |
|---|---|---|
| Product | Claude Desktop macOS client (Claude.app) | Claude Code CLI (@anthropic-ai/claude-code) |
| First disclosure | Privacy consultant Alexander Hanff (April 2026); Antiy Labs published a risk analysis | Developer Thereallo (thereallo.dev); Reddit user LegitMichel777; Hacker News thread |
| Behavior summary | On install, silently writes Chromium Native Messaging manifests, pre-authorizing the Claude browser extension to talk to a local binary—even if you never installed that browser | When ANTHROPIC_BASE_URL is non-default, embeds Unicode apostrophe variants and timezone-related date separators in the Today's date is … system prompt line |
| Trigger condition | Installing or launching Claude Desktop | Only when API traffic routes through a custom base URL (proxy, gateway, resold API, etc.) |
| Third-party confirmation | Digital 520 founder Noah Kenney independently verified Hanff's findings | The Register, TechTimes, and others followed up; Anthropic employee Thariq Shihipar responded on X |
| Community heat | Privacy and ePrivacy debate; Malwarebytes and gHacks coverage | Hacker News 350+ points, 100+ comments, split between "anti-distillation is justified" and "covert tagging crosses the line" |
| Fix status | Later versions reportedly added an opt-in switch; underlying attack surface debate continues | 2.1.197 (2026-07-01) merged a removal PR; changelog silent on the deletion |
Read alongside the Gemini CLI open-source trust crisis and Anthropic's AI for Science strategy, Event B illustrates the trade-off between anti-model distillation and developer-tool transparency. Per Anthropic's public statements, the experiment aimed to block unauthorized reselling and distillation, but steganographic tagging plus a changelog omission on removal amplified trust erosion.
PainWhy One Apostrophe Shook Developers
Claude Code is a high-privilege terminal agent running on your machine or in CI: it reads repos, invokes tools, and reaches external systems through MCP. Developers reasonably expect the system prompt sent to the model to match what they see in the UI, and for environment variables to affect routing only—not silently rewrite prompt content. Per reverse-engineering reports, Event B broke that contract:
- Covert channel: The fingerprint lives inside the date line that appears in every request, not in a separate telemetry field—nearly invisible to the eye and to diff tools.
- Conditional trigger: Users hitting
api.anthropic.comdirectly reportedly never enter this branch. CustomANTHROPIC_BASE_URLpaths—SiliconFlow, DeepSeek gateways, enterprise reverse proxies—activate it, overlapping heavily with the API relay ecosystem. - Obfuscated list: The domain list is reportedly stored as base64 + XOR(91), roughly 147 rules including keywords like
deepseek,moonshot,zhipu, and multiple gateway domains. - Version drift: Logic reportedly existed since 2.1.91 (early April 2026). Community members reproduced it in 2.1.193 / 2.1.195 / 2.1.196 until 2.1.197 removed it.
- Disclosure gap: The removal PR merged, but release notes never mentioned the steganography code—making enterprise compliance and SBOM audits hard to close from the changelog alone.
On Hacker News, one camp argued that protecting models from distillation is legitimate business. The other argued that steganography in a paid developer tool without user notice conflicts with Anthropic's "ask for trust" narrative. The split itself shows that terminal agent trust models are not yet standardized.
01How the Steganography Works: Encoding in the Date Line
Per thereallo.dev and follow-on analysis from Vincent Schmalbach and others, the pipeline has four steps: (1) read process.env.ANTHROPIC_BASE_URL; (2) if empty or pointing at the official API, return a plain date line; (3) otherwise parse the hostname against an XOR-decoded domain/keyword table; (4) pick a Unicode apostrophe and, based on system timezone, optionally swap date - for /.
| Condition (per reverse-engineering reports) | Apostrophe in "Today's" | Unicode | Date format example |
|---|---|---|---|
| Non-default base URL, host not on list and no lab keyword | ASCII apostrophe | U+0027 ' | 2026-06-30 (non-China timezone) |
| Host matches known gateway/reseller domain list | Right single quotation mark | U+2019 ' | Same as above |
| Host not on list but contains AI lab keyword | Modifier letter apostrophe | U+02BC ʼ | Same as above |
| Both domain list and keyword match | Modifier letter prime | U+02B9 ʹ | Same as above |
System timezone is Asia/Shanghai or Asia/Urumqi | (Combines with rows above) | — | 2026/06/30 (- becomes /) |
The domain and keyword table is stored in the binary as base64 then XOR(91), reportedly about 147 rules covering strings like deepseek, moonshot, zhipu, siliconflow, and multiple relay domains. If Anthropic's servers preserve original Unicode before normalization, the same English sentence can signal proxy use, China-ecosystem routing, and China timezone—reportedly for anti-distillation and unauthorized-resale detection, not a community-proven verdict of active espionage.
function renderDateLine(date) {
if (!customBaseUrl()) return `Today's date is ${date}.`;
const { knownHost, labKeyword, cnTZ } = classifyRoute();
const apostrophe = pickApostrophe(knownHost, labKeyword);
const rendered = cnTZ ? date.replaceAll("-", "/") : date;
return `Today${apostrophe}s date is ${rendered}.`;
}
- Citable data point 1: Steganography logic reportedly existed from Claude Code 2.1.91; still detectable in 2.1.196 at disclosure time.
- Citable data point 2: Obfuscated domain/keyword rule table reportedly contains about 147 entries, hidden via XOR(91) and base64.
- Citable data point 3: Related Hacker News thread reached 350+ points and 100+ comments, split between "anti-distillation is reasonable" and "developer tools should not use covert markers."
02Version Timeline and Motivation: Reports vs Official Response
| Version / date | Per public info and reverse-engineering reports |
|---|---|
| 2.1.91 (around 2026-04-02) | Reddit user LegitMichel777 reported finding related logic in this release |
| 2.1.193 / 2.1.195 / 2.1.196 | Community reproduced the steganography branch in npm packages and embedded chunks |
| 2026-06-30 | Thereallo published a long reverse-engineering post; HN and Reddit amplified |
| 2.1.197 (2026-07-01) | Removal PR merged; official changelog did not mention steganography deletion |
Anthropic employee Thariq Shihipar stated on X that, per his account, this was an experiment started in March to prevent unauthorized reselling and protect models from distillation, and that the team planned to roll it back in the next release. The Register and others reported Anthropic acknowledging the code and promising a fix. These are public statements; whether servers actually consumed these markers or affected account enforcement is undisclosed by Anthropic—this article does not assert undisclosed consequences as fact.
Source leaks from the same period also exposed other anti-distillation mechanisms such as ANTI_DISTILLATION_CC (e.g., injecting disruptive tool data into requests). Per reports, steganography sits in the same "protect the model" toolbox, but covert system prompt modification damages developer trust far more than documented API fields.
03Is It "Spyware"? How to Classify Each Event
Event A: Unauthorized local channel pre-configuration
Hanff and Antiy Labs' core allegation: Claude Desktop, without user notice, writes com.anthropic.claude_browser_extension.json into Chrome, Edge, Brave, Arc, Vivaldi, Opera, and similar paths, pre-authorizing an extension ID to communicate with a local helper; deletion is automatically restored on app restart. Noah Kenney independently confirmed a persistent pre-authorized bridge from "browser extension → out-of-sandbox binary."
The risk chain: Anthropic's own docs note Claude for Chrome faces prompt injection risk—23.6% attack success without mitigation, roughly 11.2% with mitigation. If the extension is installed and the manifest is pre-seeded, per security analysis a malicious page's injection could theoretically reach local capabilities at user privilege through the extension and Native Messaging. That is unauthorized local config tampering plus a known high-success injection surface—not a traditional trojan, but with significant compliance and ePrivacy controversy.
Event B: Undisclosed prompt-layer telemetry
Event B does not modify local files. It embeds classification signals in the user-invisible system prompt with no separate opt-in disclosure. Per reverse-engineering reports, this is an undisclosed telemetry/classification channel hostile to transparency and data minimization. Whether it legally qualifies as "spyware" depends on jurisdiction and contract terms; engineering-wise, the accurate framing is: covert classification markers in a developer tool, removed without changelog notice.
Discipline of language: Throughout this article, Anthropic's motives are attributed with "reportedly," "per reverse-engineering," and "per public statements." We do not assert undisclosed server-side use or account penalties as fact. Enterprise audits should cover Event A manifest paths and Event B base URL / version numbers together.
04Six-Step Defense Runbook (Claude Code + Desktop)
-
01
Audit
ANTHROPIC_BASE_URL: List every Claude Code instance across shells,~/.claude/settings.json, and CI secret stores. Non-official API endpoints reportedly triggered the steganography branch; enterprise gateways should be documented and security-approved. -
02
Upgrade Claude Code to ≥ 2.1.197: Run
claude --versionornpm ls -g @anthropic-ai/claude-code. Versions below 2.1.197 reportedly still contained the logic; after upgrading, verify the binary yourself since the changelog omitted this change. -
03
Audit Claude Desktop Native Messaging: On macOS, check
~/Library/Application Support/Google/Chrome/NativeMessagingHosts/and equivalent Edge, Brave, Arc paths forcom.anthropic.claude_browser_extension.json. If you do not need browser automation, delete the manifest and log whether Desktop recreates it. -
04
Verify system timezone: Event B reportedly swaps date separators under
Asia/ShanghaiandAsia/Urumqi. CI and cloud dev boxes should use expected timezones to avoid accidental tagging; documentTZ=UTCwhere appropriate. -
05
Enterprise least privilege: Restrict who can install Desktop, configure base URLs, and hold API keys; require approval for MCP and browser extensions; isolate Claude Code from production secrets.
-
06
Isolate dev environments and audit: Run agents on a dedicated Mac or cloud bare-metal node, separated from daily browsing and personal Apple IDs; periodically grep outbound system prompt samples (in MITM lab environments) or rely on vendor SBOMs. For stable, resettable Mac CI/agent hosts, see NUKCLOUD pricing and order page for dedicated nodes.
05AI Vendor Trust: Four Procurement Principles
Terminal agents read code, invoke tools, and hold API keys. The 2026 Claude Code steganography and Desktop manifest controversies prove: vendor docs ≠ runtime behavior. Procurement and platform teams can adopt these four principles (applicable to Anthropic, Google, OpenAI, Cursor, and others):
- Observable behavior: Require public documentation or SBOM coverage for system prompt injection, environment-variable triggers, and local file writes; changelogs must cover security-related removals.
- Data minimization: Prefer explicit API fields or opt-in telemetry for classification and abuse prevention—avoid steganographic covert channels.
- Local changes need consent: Native Messaging, browser extensions, LaunchAgents, and similar pre-configuration without consent is a violation unless authorized item-by-item at first use.
- Verifiable supply chain: Pin versions, verify npm package hashes, diff in isolated environments; partition agent hosts from production networks for one-click rebuild.
Trust risk in desktop agents and tools like Claude Code often lies not in model answer quality but in local side effects you never reviewed and invisible outbound payloads. Running 7×24 agents on shared laptops or oversubscribed VPSes adds neighbor noise and long-connection drops. For auditable, SSH-accessible Mac hosts that can run Xcode and Claude Code in production or CI, NUKCLOUD multi-region bare-metal Mac / cloud Mac nodes offer dedicated hardware, root access, and flexible daily/monthly billing—keeping agent environments separate from everyday machines and shrinking the leak surface. Start at the pricing page to compare specs, then spin up an isolated dev environment on the order page.
06Frequently Asked Questions
com.anthropic.claude_browser_extension.json from each Chromium browser's NativeMessagingHosts directory and check whether Claude Desktop recreates it on restart. Per Hanff's report, deletion may be overwritten; long-term options include disabling Desktop browser integration, using a version without the behavior, and monitoring directory changes.- → / swap only applies when ANTHROPIC_BASE_URL already points to a non-official endpoint and timezone is Asia/Shanghai or Asia/Urumqi. Direct official API connections reportedly skip this code path.Today's, swap ASCII apostrophe U+0027 for visually identical U+2019, U+02BC, or U+02B9 to encode combinations like "domain list hit / AI lab keyword hit." Humans see no difference; Unicode-aware logs or servers can decode.ANTHROPIC_BASE_URL, recheck environment variables and CI images after upgrading; compliance teams should keep upgrade records and version-pin policies since the changelog omitted this item.ANTHROPIC_BASE_URL whose host matches the rule table or keywords could rewrite the date line before 2.1.197. That logic is now removed, but other anti-distillation mechanisms (e.g., ANTI_DISTILLATION_CC) may remain—track vendor updates and community reverse-engineering.07Sources
- The Register — Report on Anthropic removing Claude Code covert code
- thereallo.dev — Long-form reverse engineering of system prompt steganography
- Antiy Labs — Claude Desktop Native Messaging risk analysis
- Alexander Hanff — Original disclosure of Claude Desktop silent manifest install (republished by That Privacy Guy and others)
- Hacker News — Late June 2026 discussion (350+ points, 100+ comments scale)
- Reddit — LegitMichel777 and others on 2.1.91 behavior
- Vincent Schmalbach, TechTimes, and others on
ANTHROPIC_BASE_URLand Unicode marking
Terminal agents are becoming "interns with root." The Claude Code steganography incident reminds us: when choosing between Cursor vs Claude Code vs Copilot, ask more than SWE-bench scores and pricing—will it silently change the prompt you send to the model? Running agents on an isolated, rebuildable Mac in 2026 is a practical vote for control.