Security AI trust crisis 2026.07.03

Claude Code Steganography Explained: How Anthropic Fingerprinted Users With a Single Apostrophe

Bottom line: In late June 2026, according to developer reverse-engineering reports, Claude Code (not the Claude web app) used text steganography to rewrite the Today's date is... line in system prompts when users pointed ANTHROPIC_BASE_URL at a non-official proxy. By swapping date separators and visually identical Unicode apostrophes, it silently encoded bits about China timezone, matching resellers, and AI lab keywords—sending that signal back to Anthropic's servers. Anthropic removed the logic in 2.1.197. The likely goal was anti-distillation and anti-reselling; the controversy is how hidden and obfuscated it was.

For Claude Code users, security engineers, and enterprise IT decision-makers, this article covers three things: ① the full picture of two separate incidents—April Claude Desktop browser injection and June Claude Code prompt steganography; ② the Unicode fingerprint mapping table and trigger conditions; ③ a six-step self-check guide, HN community debate, and what attitude we should take when AI vendors cross trust boundaries. Wording follows "according to reports / reverse-engineering / alleged"—motives and methods are evaluated separately.

01 What happened in 2026: Claude steganography and browser injection

This wave of controversy is actually two independent incidents stacking on each other. Keep them separate before you publish—HN, Reddit, and security readers will spot conflation instantly, and it hurts credibility.

Incident timeline and key milestones
Date Event Source
2026-04 (from ~4/18)Incident A: Claude Desktop silently writes browser Native Messaging manifestsAlexander Hanff (The Register contributor)
2026-06-30Incident B: Claude Code system prompt steganography exposed via reverse engineeringthereallo.dev → Reddit → Hacker News
2026-07-01Anthropic ships Claude Code 2.1.197, removing steganography code (not mentioned in changelog)Tech Startups / Developers Digest and others
HN discussionFront page within hours; 350+ points, 100+ comments; community split two waysHacker News
  • Incident A pain point: After installing Claude Desktop (macOS), it silently writes com.anthropic.claude_browser_extension.json into Chrome, Edge, Brave, Arc, Vivaldi, Opera, and Chromium—pre-authorizing 3 extension IDs to call chrome-native-host outside the browser sandbox. Directories are created even when the browser is not installed; deleted files reappear after restart.
  • Incident B pain point: Only when ANTHROPIC_BASE_URL ≠ api.anthropic.com, a hidden fingerprint is embedded in the system prompt date line—not triggered on every conversation.
  • Independent consultant Noah Kenney (Digital 520) confirmed Hanff's technical claims for Incident A are reproducible; Antiy Labs published a risk analysis of Claude Desktop's high-privilege browser channel.

02 Claude Desktop injection vs Claude Code steganography: comparison matrix

Incident A (silent browser injection) vs Incident B (system prompt steganography)
Dimension Incident A: Silent browser injection Incident B: System prompt steganography
ProductClaude Desktop (macOS client)Claude Code (CLI coding tool)
DiscloserAlexander Hanff (privacy consultant)Developer reverse-engineered binary; published on thereallo.dev
Labels applied"spyware" / "backdoor""prompt steganography" / "covert channel"
TriggerInstall or launch Claude DesktopOnly when a non-official Base URL (proxy/gateway) is set
Anthropic responseNo formal public response; later versions added an opt-in switch; underlying permission model not fully removedAcknowledged code existed; shipped 2.1.197 on 7/1 to remove it; changelog silent

Mainstream reading: Anthropic aimed to detect unauthorized reselling and model distillation, not to surveil individuals. The fight is over means—covert, obfuscated, undisclosed—not the stated purpose.

03 How Claude Code steganography works: Unicode apostrophe fingerprint table

Key precondition: this only runs when you point ANTHROPIC_BASE_URL at a non-official address—proxy, gateway, third-party reseller, or OpenAI-compatible layer. The official api.anthropic.com endpoint is untouched. Reverse engineers verified the logic in versions 2.1.193, 2.1.195, and 2.1.196.

Once triggered, the program does two things, both hidden inside the innocuous system prompt line Today's date is ...:

  1. Change the date separator: If the system timezone is Asia/Shanghai or Asia/Urumqi, 2026-06-30 becomes 2026/06/30.
  2. Swap the apostrophe: Replace the apostrophe in Today's with a visually identical but Unicode-distinct character, encoding what was matched.
Unicode apostrophe and date format mapping (per thereallo.dev reverse-engineering report)
Condition detected Date format Apostrophe character Unicode
Default (no match)2026-06-30' standard ASCII apostropheU+0027
China org/reseller domain matched2026-06-30' right single quotation markU+2019
China AI lab keyword matched2026-06-30ʼ modifier letter apostropheU+02BC
Both domain and lab matched2026-06-30ʹ modifier letter primeU+02B9
China timezone added2026/06/30(same rules as above)

Domain and keyword lists were lightly obfuscated with base64 + XOR(91)—roughly 147 domain rules. Keywords include deepseek, moonshot, zhipu, minimax, baichuan, stepfun, 01ai, and others.

In plain terms: Your request looks like a normal English prompt, but the backend can read the date separator and apostrophe Unicode codepoint and tag you in the background—"this user routes through an overseas VPN but sits in a China timezone, possibly tied to a Chinese AI lab." That is classic covert channel and prompt steganography.

check-apostrophe.sh
python3 -c "
s = open('system_prompt.txt').read()
idx = s.find('Today')
if idx >= 0:
    c = s[idx+5]
    print(f'Char: {c!r}  Codepoint: U+{ord(c):04X}')
"
Official endpoint expected: U+0027
Proxy users may see: U+2019 / U+02BC / U+02B9

04 Why did Anthropic do this? Is Claude Code spyware?

Motive: anti-distillation and anti-unauthorized reselling

The mainstream, relatively measured view: the goal was anti-distillation plus blocking unauthorized API reselling. Anthropic, OpenAI, and Google have all publicly worried about rivals pulling massive API output to train smaller models. China-related proxies, resellers, and labs were prime suspects—hence the tagging logic.

The purpose may be understandable; the method is the problem: Turning classification signals into invisible, obfuscated bytes inside every request crosses a trust line for a developer tool that lives on trust. HN split hard: one camp calls it legitimate anti-distillation defense; the other says it is malware-adjacent behavior for a dev tool.

"Spyware" is an emotional label. More precise framing:

  • Incident A is closer to unauthorized modification of third-party software plus a dormant high-privilege attack surface—even if not exploited yet, it pre-wired a browser-sandbox escape channel. Combined with Claude for Chrome's self-reported prompt injection success rates (no mitigation 23.6%, with mitigation 11.2%), the risk is real.
  • Incident B is closer to undisclosed covert telemetry / user classification.

Whether or not you use the word "spyware," the core issue is the same: without informed user consent, and deliberately hidden. That aligns with the trust-boundary questions raised in our earlier analysis of Claude Fable 5 export controls and the MCP protocol.

Two camps on HN

  • Defense camp: Reasonable anti-distillation defense; protects the API from reselling and distillation.
  • Critic camp: Malware-adjacent behavior for a dev tool—should be disclosed with an opt-out, not hidden in punctuation.

05 How to self-check Claude Code steganography: six-step protection guide

  1. Check ANTHROPIC_BASE_URL: Run echo $ANTHROPIC_BASE_URL in your shell. If empty or pointing at api.anthropic.com, Incident B logic does not trigger. Proxy and gateway users should investigate first.
  2. Upgrade Claude Code to 2.1.197+: Anthropic shipped this build on 2026-07-01 with steganography removed. Run claude --version to confirm.
  3. Audit system timezone: Run date +%Z and readlink /etc/localtime on Linux, or check System Settings on macOS, for Asia/Shanghai or Asia/Urumqi.
  4. Capture and inspect the system prompt: Under proxy conditions, export the prompt via packet capture or debug mode. Check whether the apostrophe in Today's is anything other than U+0027.
  5. Inspect Claude Desktop Native Messaging (Incident A): On macOS, look under ~/Library/Application Support/<browser>/NativeMessagingHosts/ for com.anthropic.claude_browser_extension.json. Delete if needed—note Claude Desktop may recreate it on restart.
  6. Least-privilege isolation for enterprise and sensitive environments: Evaluate whether desktop agents belong in production paths. Treat any desktop AI agent as high-privilege software—explicit consent, auditability, network isolation. When comparing tools, weight telemetry transparency; see our AI coding assistant comparison.

06 Citable technical data and key parameters

  • Domain rule count: ~147 rules, stored in the Claude Code binary as base64 + XOR(91) obfuscation (per reverse-engineering reports).
  • Affected versions: 2.1.193, 2.1.195, 2.1.196 contained steganography logic; 2.1.197 (2026-07-01) removed it.
  • HN discussion heat: 350+ points, 100+ comments, front page within hours.
  • Claude for Chrome prompt injection success rate: 23.6% without mitigation, 11.2% with mitigation (Anthropic self-reported; relevant to Incident A risk context).
  • Trigger condition: Only when ANTHROPIC_BASE_URL ≠ api.anthropic.com; official endpoint users unaffected by Incident B.
  • Unicode codepoints: U+0027 (default), U+2019 (China domain), U+02BC (AI lab keyword), U+02B9 (dual match).

Authoritative sources: The Register (Claude Desktop permission changes), Malwarebytes / gHacks / YOOTA (Native Messaging coverage), thereallo.dev (original reverse engineering), Tech Startups / TMC Insight / Developers Digest / TechTimes (2.1.197 fix), Antiy Labs risk analysis report.

07 Claude Code steganography FAQ

Q: Is Claude Code spyware?
A: Not in the traditional sense, but according to reverse-engineering reports, it hid undisclosed, obfuscated fingerprints in system prompts to tag China-related users on proxies. Anthropic removed this in 2.1.197. More accurate: an undisclosed covert channel.

Q: Does Claude Code detect my timezone?
A: Only when a non-official ANTHROPIC_BASE_URL is set. It checks Asia/Shanghai / Asia/Urumqi and rewrites the date separator. Official endpoint users are unaffected.

Q: What is the Unicode apostrophe trick in Today's date?
A: The apostrophe in Today's switches among U+0027, U+2019, U+02BC, and U+02B9 to encode whether your endpoint matched China-related domains, AI lab keywords, both, or neither.

Q: Why did Anthropic add this?
A: Per mainstream community reading, most likely to detect model distillation and unauthorized API reselling—a legitimate goal, but implemented without disclosure and deliberately hidden.

Q: Is this the same as the Claude Desktop "spyware" story?
A: No. April 2026 Claude Desktop silent browser Native Messaging writes are Incident A. June 30, 2026 Claude Code prompt steganography is Incident B.

Q: Are regular Claude web users affected?
A: Incident B only applies to Claude Code with a non-official Base URL. Standard official endpoint users are not hit by this logic.

Q: How do I remove Claude Desktop's injected browser files?
A: Delete com.anthropic.claude_browser_extension.json under ~/Library/Application Support/<browser>/NativeMessagingHosts/. Restarting Claude Desktop may recreate it.

Q: What is the ANTHROPIC_BASE_URL fingerprint?
A: When Base URL points at a non-official proxy, Claude Code matches proxy domains and keywords, then embeds different Unicode characters in the system prompt date line as a classification signal back to the server.

Q: Should I still worry?
A: If you upgraded Claude Code to 2.1.197+ and do not use non-official proxies, Incident B is fixed. Incident A's Claude Desktop Native Messaging issue reportedly gained an opt-in switch in later versions but the underlying model was not fully removed—still worth auditing.

Q: Should I keep trusting Anthropic?
A: That is a values call. Technical consensus: default to skepticism and evidence—reproducible, auditable, and disable-able behavior earns trust; vendors should disclose, not hide.

08 When AI vendors overreach: conclusion and what to do

The real warning is not "one apostrophe." It is this: as model capability races ahead and security boundaries, consent, and audit trails lag, vendors can easily cross trust lines in the name of "experience" or "abuse prevention." PC and smartphone history is repeating—now on desktop AI agents.

Practical responses for users and practitioners: ① Default to skepticism; demand evidence—reproducible, auditable, disable-able; ② Require disclosure, not hiding—anti-distillation can be done openly; ③ Least privilege plus boundary isolation; ④ Vote with your feet and push for regulation (GDPR, privacy law). Technology can be neutral; companies cannot—the greater the capability, the tighter the self-restraint should be. This should not be a secret you only find by reverse-engineering a binary.

For production teams running Claude Code, OpenClaw gateways, or a self-hosted MCP Server in isolated environments, a local dev machine has three real gaps: home broadband jitter breaking SSH/API long connections, laptop sleep suspending agent jobs, and shared multi-developer setups with weak permission boundaries. For a more stable production environment built for AI agent automation, JEXCLOUD multi-region bare-metal Mac is the better fit: dedicated Apple Silicon, 24/7 uptime, elastic monthly scaling, 120-second provisioning—run heavy Claude Code workloads on a cloud Mac while keeping local machines for interaction only, with independent network and timezone configs for compliance isolation. See the JEXCLOUD pricing page for nodes and rates.