Security Кризис доверия к AI 2026.07.03

Steganography Claude Code: как Anthropic тегал юзеров одним апострофом

Bottom line: конец июня 2026, по reverse-engineering report, Claude Code (не web Claude) при ANTHROPIC_BASE_URL на unofficial proxy использует text steganography в строке Today's date is... — переключая date separator и почти неразличимый Unicode apostrophe, quietly exfiltrating bits вроде «China timezone?», «match на China domain/AI lab?». Anthropic выпилил в 2.1.197; скорее всего anti-distillation/reselling, но метод был covert и obfuscated.

Для Claude Code devs, security engineers и enterprise IT: ① два независимых инцидента (April Desktop injection, June Code steganography), ② Unicode fingerprint table и trigger conditions, ③ six-step self-check, HN flame war и stance когда AI vendor oversteps. Wording: «по leak/реверсу/обвиняют»; цель (anti-distill) и средство (steg) оцениваем отдельно.

01 Claude steganography и browser injection 2026: что случилось

Эта волна — на самом деле два независимых инцидента, наложившихся друг на друга. Разделяй до публикации — иначе HN / Reddit / security crowd instantly spot confusion, E-E-A-T страдает.

Timeline и key nodes
Когда Инцидент Источник
2026-04 (~с 18.4.)Инцидент A: Claude Desktop silently пишет browser Native Messaging manifestAlexander Hanff (The Register)
2026-06-30Инцидент B: Claude Code system prompt steganography exposed реверсомthereallo.dev → Reddit → Hacker News
2026-07-01Anthropic релизит Claude Code 2.1.197, removes steg code (changelog молчит)Tech Startups / Developers Digest и др.
HN threadFront page за часы, 350+ points, 100+ comments, community split пополамHacker News
  • Инцидент A pain point: после install Claude Desktop (macOS) без notice пишет com.anthropic.claude_browser_extension.json в Chrome/Edge/Brave/Arc/Vivaldi/Opera/Chromium; pre-auth 3 extension IDs вызывать chrome-native-host вне sandbox. Directory создаётся даже без installed browser; delete + restart = respawn.
  • Инцидент B pain point: только при ANTHROPIC_BASE_URL ≠ api.anthropic.com embeds covert fingerprint в date line — не каждый chat guaranteed trigger.
  • Independent advisor Noah Kenney (Digital 520) подтвердил reproducibility tech claims Hanff по инциденту A. Antiy Labs выпустил risk analysis high-privilege browser channel Claude Desktop.

02 Claude Desktop injection vs Claude Code steganography: comparison matrix

Инцидент A (silent browser injection) vs инцидент B (system prompt steganography)
Dimension Инцидент A: silent browser injection Инцидент B: system prompt steganography
ProductClaude Desktop (macOS client)Claude Code (CLI coding tool)
WhistleblowerAlexander Hanff (privacy advisor)Dev reverse-engineered binary, posted thereallo.dev
Labels"spyware" / "backdoor""prompt steganography" / "covert channel"
TriggerInstall/start Claude DesktopТолько unofficial Base URL (proxy/gateway)
Anthropic responseNo official statement; later opt-in switch, underlying permission model intactAdmitted code exists, 2.1.197 removed 1/7, changelog silent

Mainstream read: Anthropic wanted unauthorized reselling + model distillation detection, not personal surveillance. Спор про means (covert, obfuscated, undisclosed), не про goal.

03 Как работает Claude Code steganography: Unicode apostrophe table

Key prerequisite: только когда ANTHROPIC_BASE_URL указывает на unofficial address (proxy, gateway, third-party resell, OpenAI-compatible layer). Official api.anthropic.com untouched. Reversers checked 2.1.193 / 2.1.195 / 2.1.196 — logic present во всех трёх.

После trigger, два действия в innocuous Today's date is ...:

  1. Date separator swap: если system TZ Asia/Shanghai или Asia/Urumqi, 2026-06-302026/06/30.
  2. Apostrophe swap: char в Today's заменяется visually identical, Unicode different — encodes «что matched».
Unicode apostrophe + date format mapping (thereallo.dev reverse report)
Detected condition Date format Apostrophe char Unicode
Default (no match)2026-06-30' standard ASCII apostropheU+0027
China institution/reseller domain hit2026-06-30' right single quotation markU+2019
China AI lab keyword hit2026-06-30ʼ modifier letter apostropheU+02BC
Domain + lab both hit2026-06-30ʹ modifier letter primeU+02B9
Plus China timezone2026/06/30(same rules above)

Domain и keyword lists: base64 + XOR(91) light obfuscation, ~147 domain rules; keywords include deepseek, moonshot, zhipu, minimax, baichuan, stepfun, 01ai.

Plain English: request выглядит как normal English prompt, но backend glances at date separator + apostrophe codepoint и tags «user on overseas VPN but China TZ, maybe AI lab». Classic covert channel + prompt steganography.

check-apostrophe.sh
# Check Unicode codepoint apostrophe in Today's inside system prompt
python3 -c "
s = open('system_prompt.txt').read()
idx = s.find('Today')
if idx >= 0:
    c = s[idx+5]
    print(f'Char: {c!r}  Codepoint: U+{ord(c):04X}')
"
# Official endpoint expect U+0027; proxy users may see U+2019 / U+02BC / U+02B9

04 Зачем Anthropic это сделал? Claude Code — spyware?

Motivation: anti-distillation + anti-reselling

Community mainstream call (relatively measured): goal = anti-distillation + unauthorized API reselling. Anthropic, OpenAI, Google publicly worry rivals pull massive API output to train smaller models. China-related proxies, resellers, labs — prime suspects, hence tagging logic.

Goal understandable, means are the problem: classification signals invisible to eye, obfuscated, baked into every request — для dev-trust tool это red line. HN split: «legitimate anti-distillation defense» vs «malware-adjacent behavior for a dev tool».

«Spyware» — emotional label. Accurate framing:

  • Инцидент A ближе к «unauthorized tampering third-party software + pre-laid dormant attack surface» — even if not exploited yet, high-privilege channel outside browser sandbox pre-built. Claude for Chrome self-disclosed prompt injection success rate: no mitigation 23.6%, with mitigation 11.2% — real risk context.
  • Инцидент B ближе к «undisclosed covert telemetry / user classification».

Spyware label or not, core issue same: without informed consent, intentionally hidden. Связано с Claude Fable 5 export control, MCP protocol — AI vendor trust boundary theme.

HN two camps

  • Defense camp: reasonable anti-distillation defense, protect API from resell/distill.
  • Critic camp: malware-adjacent for dev tool; disclose + give toggle, don't hide in punctuation.

05 Self-check Claude Code steganography: six-step protection guide

  1. Check ANTHROPIC_BASE_URL: run echo $ANTHROPIC_BASE_URL — empty or api.anthropic.com means incident B logic won't fire. Proxy/gateway users: priority audit.
  2. Upgrade Claude Code to 2.1.197+: Anthropic shipped removal 2026-07-01. claude --version to confirm.
  3. Audit system timezone: date +%Z, readlink /etc/localtime (Linux) or System Settings (macOS) for Asia/Shanghai / Asia/Urumqi.
  4. Capture and analyze system prompt: under proxy, network capture or debug export prompt; check Today's apostrophe codepoint ≠ U+0027.
  5. Audit Claude Desktop Native Messaging (incident A): macOS browsers ~/Library/Application Support/<browser>/NativeMessagingHosts/ for com.anthropic.claude_browser_extension.json — delete if needed; Claude Desktop restart may recreate.
  6. Enterprise least-privilege isolation: evaluate Desktop Agent in prod pipeline; treat any desktop AI agent as high-privilege — explicit auth, auditable, network isolated. Weight «telemetry transparency» in AI coding assistant comparison.

06 Citable tech data и key parameters

  • Domain rule count: ~147, base64 + XOR(91) obfuscated in Claude Code binary (reverse report).
  • Affected versions: 2.1.193, 2.1.195, 2.1.196 had steg logic; 2.1.197 (2026-07-01) removed.
  • HN heat: 350+ points, 100+ comments, front page in hours.
  • Claude for Chrome prompt injection success: 23.6% no mitigation, 11.2% with (Anthropic disclosed, incident A risk context).
  • Trigger: only ANTHROPIC_BASE_URL ≠ api.anthropic.com; official endpoint users unaffected by incident B.
  • Unicode codepoints: U+0027 (default), U+2019 (China domain), U+02BC (AI lab keyword), U+02B9 (double hit).

Authoritative sources: The Register (Claude Desktop permission changes), Malwarebytes / gHacks / YOOTA (Native Messaging coverage), thereallo.dev (original reverse), Tech Startups / TMC Insight / Developers Digest / TechTimes (2.1.197 fix), Antiy Labs risk analysis.

07 Claude Code steganography FAQ

Q: Claude Code — spyware?
A: Not classic spyware, but reverse report says it hid undisclosed obfuscated fingerprints tagging China-related proxy users; removed in 2.1.197. More accurate: «undisclosed covert channel».

Q: Claude Code detects my timezone?
A: Only with unofficial ANTHROPIC_BASE_URL; checks Asia/Shanghai / Asia/Urumqi, changes date separator. Official endpoint date line untouched.

Q: Today's date apostrophe Unicode mechanism?
A: Switches apostrophe in Today's among U+0027, U+2019, U+02BC, U+02B9 encoding endpoint match on China domains, AI lab keywords, both, or neither.

Q: Why did Anthropic add this?
A: Community read: detect model distillation and unauthorized API reselling — legitimate goal, undisclosed hidden implementation.

Q: Same as Claude Desktop «spyware» incident?
A: No. April 2026 silent Native Messaging write = incident A; June 30 2026 Claude Code prompt steg = incident B.

Q: Regular Claude web users affected?
A: Incident B only Claude Code + unofficial Base URL. Normal official endpoint users out of scope.

Q: Delete Claude Desktop injected browser files?
A: ~/Library/Application Support/<browser>/NativeMessagingHosts/, find and delete com.anthropic.claude_browser_extension.json; restart Claude Desktop may recreate.

Q: ANTHROPIC_BASE_URL fingerprint?
A: When Base URL points to unofficial proxy, Claude Code embeds different Unicode in system prompt date line per domain/keyword match as classification signal back to server.

Q: Still worry?
A: Claude Code 2.1.197+ without unofficial proxy — incident B fixed. Incident A Native Messaging: later opt-in switch but underlying model not eradicated per reports — self-audit.

Q: Keep trusting Anthropic?
A: Value judgment. Tech consensus: default distrust, evidence-first — reproducible, auditable, disable-able earns trust; vendors disclose not hide.

08 AI vendor overreach и наш response: conclusion

Real warning не «один apostrophe», а: model capabilities rocket ahead while security boundaries, authorization, audit lag — vendors cross trust lines unilaterally under «experience/anti-abuse». History repeats from PC/smartphone dawn, now on desktop AI agents.

Practical response: ① default distrust, evidence-first — reproducible, auditable, disable-able; ② demand disclosure not hiding — anti-distillation can be above-board; ③ least privilege + boundary isolation; ④ vote with feet + regulatory frame (GDPR). Tech has no stance, companies must — more capability demands more self-restraint; shouldn't be secrets users discover via binary reverse.

Для prod teams running Claude Code, OpenClaw gateway или self-hosted MCP Server в isolated env, pure local dev machine has three real gaps: home broadband jitter killing SSH/API long connections, laptop lid suspend hanging agent jobs, multi-dev shared env hard to audit permission boundaries. For stable AI agent automation prod, JEXCLOUD multi-region bare-metal Mac — dedicated Apple Silicon, 7×24 online, monthly elastic scale, 120s delivery: run heavy Claude Code on cloud Mac, local только interaction; separate network + timezone config for compliance isolation. Nodes and pricing: JEXCLOUD pricing page.