Steganography Claude Code: как Anthropic тегал юзеров одним апострофом
Bottom line: конец июня 2026, по reverse-engineering report, Claude Code (не web Claude) при ANTHROPIC_BASE_URL на unofficial proxy использует text steganography в строке Today's date is... — переключая date separator и почти неразличимый Unicode apostrophe, quietly exfiltrating bits вроде «China timezone?», «match на China domain/AI lab?». Anthropic выпилил в 2.1.197; скорее всего anti-distillation/reselling, но метод был covert и obfuscated.
Для Claude Code devs, security engineers и enterprise IT: ① два независимых инцидента (April Desktop injection, June Code steganography), ② Unicode fingerprint table и trigger conditions, ③ six-step self-check, HN flame war и stance когда AI vendor oversteps. Wording: «по leak/реверсу/обвиняют»; цель (anti-distill) и средство (steg) оцениваем отдельно.
01 Claude steganography и browser injection 2026: что случилось
Эта волна — на самом деле два независимых инцидента, наложившихся друг на друга. Разделяй до публикации — иначе HN / Reddit / security crowd instantly spot confusion, E-E-A-T страдает.
| Когда | Инцидент | Источник |
|---|---|---|
| 2026-04 (~с 18.4.) | Инцидент A: Claude Desktop silently пишет browser Native Messaging manifest | Alexander Hanff (The Register) |
| 2026-06-30 | Инцидент B: Claude Code system prompt steganography exposed реверсом | thereallo.dev → Reddit → Hacker News |
| 2026-07-01 | Anthropic релизит Claude Code 2.1.197, removes steg code (changelog молчит) | Tech Startups / Developers Digest и др. |
| HN thread | Front page за часы, 350+ points, 100+ comments, community split пополам | Hacker News |
- Инцидент A pain point: после install Claude Desktop (macOS) без notice пишет
com.anthropic.claude_browser_extension.jsonв Chrome/Edge/Brave/Arc/Vivaldi/Opera/Chromium; pre-auth 3 extension IDs вызыватьchrome-native-hostвне sandbox. Directory создаётся даже без installed browser; delete + restart = respawn. - Инцидент B pain point: только при
ANTHROPIC_BASE_URL ≠ api.anthropic.comembeds covert fingerprint в date line — не каждый chat guaranteed trigger. - Independent advisor Noah Kenney (Digital 520) подтвердил reproducibility tech claims Hanff по инциденту A. Antiy Labs выпустил risk analysis high-privilege browser channel Claude Desktop.
02 Claude Desktop injection vs Claude Code steganography: comparison matrix
| Dimension | Инцидент A: silent browser injection | Инцидент B: system prompt steganography |
|---|---|---|
| Product | Claude Desktop (macOS client) | Claude Code (CLI coding tool) |
| Whistleblower | Alexander Hanff (privacy advisor) | Dev reverse-engineered binary, posted thereallo.dev |
| Labels | "spyware" / "backdoor" | "prompt steganography" / "covert channel" |
| Trigger | Install/start Claude Desktop | Только unofficial Base URL (proxy/gateway) |
| Anthropic response | No official statement; later opt-in switch, underlying permission model intact | Admitted code exists, 2.1.197 removed 1/7, changelog silent |
Mainstream read: Anthropic wanted unauthorized reselling + model distillation detection, not personal surveillance. Спор про means (covert, obfuscated, undisclosed), не про goal.
03 Как работает Claude Code steganography: Unicode apostrophe table
Key prerequisite: только когда ANTHROPIC_BASE_URL указывает на unofficial address (proxy, gateway, third-party resell, OpenAI-compatible layer). Official api.anthropic.com untouched. Reversers checked 2.1.193 / 2.1.195 / 2.1.196 — logic present во всех трёх.
После trigger, два действия в innocuous Today's date is ...:
- Date separator swap: если system TZ
Asia/ShanghaiилиAsia/Urumqi,2026-06-30→2026/06/30. - Apostrophe swap: char в
Today'sзаменяется visually identical, Unicode different — encodes «что matched».
| Detected condition | Date format | Apostrophe char | Unicode |
|---|---|---|---|
| Default (no match) | 2026-06-30 | ' standard ASCII apostrophe | U+0027 |
| China institution/reseller domain hit | 2026-06-30 | ' right single quotation mark | U+2019 |
| China AI lab keyword hit | 2026-06-30 | ʼ modifier letter apostrophe | U+02BC |
| Domain + lab both hit | 2026-06-30 | ʹ modifier letter prime | U+02B9 |
| Plus China timezone | 2026/06/30 | (same rules above) | — |
Domain и keyword lists: base64 + XOR(91) light obfuscation, ~147 domain rules; keywords include deepseek, moonshot, zhipu, minimax, baichuan, stepfun, 01ai.
Plain English: request выглядит как normal English prompt, но backend glances at date separator + apostrophe codepoint и tags «user on overseas VPN but China TZ, maybe AI lab». Classic covert channel + prompt steganography.
# Check Unicode codepoint apostrophe in Today's inside system prompt
python3 -c "
s = open('system_prompt.txt').read()
idx = s.find('Today')
if idx >= 0:
c = s[idx+5]
print(f'Char: {c!r} Codepoint: U+{ord(c):04X}')
"
# Official endpoint expect U+0027; proxy users may see U+2019 / U+02BC / U+02B9
04 Зачем Anthropic это сделал? Claude Code — spyware?
Motivation: anti-distillation + anti-reselling
Community mainstream call (relatively measured): goal = anti-distillation + unauthorized API reselling. Anthropic, OpenAI, Google publicly worry rivals pull massive API output to train smaller models. China-related proxies, resellers, labs — prime suspects, hence tagging logic.
Goal understandable, means are the problem: classification signals invisible to eye, obfuscated, baked into every request — для dev-trust tool это red line. HN split: «legitimate anti-distillation defense» vs «malware-adjacent behavior for a dev tool».
«Spyware» — emotional label. Accurate framing:
- Инцидент A ближе к «unauthorized tampering third-party software + pre-laid dormant attack surface» — even if not exploited yet, high-privilege channel outside browser sandbox pre-built. Claude for Chrome self-disclosed prompt injection success rate: no mitigation 23.6%, with mitigation 11.2% — real risk context.
- Инцидент B ближе к «undisclosed covert telemetry / user classification».
Spyware label or not, core issue same: without informed consent, intentionally hidden. Связано с Claude Fable 5 export control, MCP protocol — AI vendor trust boundary theme.
HN two camps
- Defense camp: reasonable anti-distillation defense, protect API from resell/distill.
- Critic camp: malware-adjacent for dev tool; disclose + give toggle, don't hide in punctuation.
05 Self-check Claude Code steganography: six-step protection guide
- Check ANTHROPIC_BASE_URL: run
echo $ANTHROPIC_BASE_URL— empty orapi.anthropic.commeans incident B logic won't fire. Proxy/gateway users: priority audit. - Upgrade Claude Code to 2.1.197+: Anthropic shipped removal 2026-07-01.
claude --versionto confirm. - Audit system timezone:
date +%Z,readlink /etc/localtime(Linux) or System Settings (macOS) forAsia/Shanghai/Asia/Urumqi. - Capture and analyze system prompt: under proxy, network capture or debug export prompt; check
Today'sapostrophe codepoint ≠ U+0027. - Audit Claude Desktop Native Messaging (incident A): macOS browsers
~/Library/Application Support/<browser>/NativeMessagingHosts/forcom.anthropic.claude_browser_extension.json— delete if needed; Claude Desktop restart may recreate. - Enterprise least-privilege isolation: evaluate Desktop Agent in prod pipeline; treat any desktop AI agent as high-privilege — explicit auth, auditable, network isolated. Weight «telemetry transparency» in AI coding assistant comparison.
06 Citable tech data и key parameters
- Domain rule count: ~147, base64 + XOR(91) obfuscated in Claude Code binary (reverse report).
- Affected versions: 2.1.193, 2.1.195, 2.1.196 had steg logic; 2.1.197 (2026-07-01) removed.
- HN heat: 350+ points, 100+ comments, front page in hours.
- Claude for Chrome prompt injection success: 23.6% no mitigation, 11.2% with (Anthropic disclosed, incident A risk context).
- Trigger: only
ANTHROPIC_BASE_URL ≠ api.anthropic.com; official endpoint users unaffected by incident B. - Unicode codepoints: U+0027 (default), U+2019 (China domain), U+02BC (AI lab keyword), U+02B9 (double hit).
Authoritative sources: The Register (Claude Desktop permission changes), Malwarebytes / gHacks / YOOTA (Native Messaging coverage), thereallo.dev (original reverse), Tech Startups / TMC Insight / Developers Digest / TechTimes (2.1.197 fix), Antiy Labs risk analysis.
07 Claude Code steganography FAQ
Q: Claude Code — spyware?
A: Not classic spyware, but reverse report says it hid undisclosed obfuscated fingerprints tagging China-related proxy users; removed in 2.1.197. More accurate: «undisclosed covert channel».
Q: Claude Code detects my timezone?
A: Only with unofficial ANTHROPIC_BASE_URL; checks Asia/Shanghai / Asia/Urumqi, changes date separator. Official endpoint date line untouched.
Q: Today's date apostrophe Unicode mechanism?
A: Switches apostrophe in Today's among U+0027, U+2019, U+02BC, U+02B9 encoding endpoint match on China domains, AI lab keywords, both, or neither.
Q: Why did Anthropic add this?
A: Community read: detect model distillation and unauthorized API reselling — legitimate goal, undisclosed hidden implementation.
Q: Same as Claude Desktop «spyware» incident?
A: No. April 2026 silent Native Messaging write = incident A; June 30 2026 Claude Code prompt steg = incident B.
Q: Regular Claude web users affected?
A: Incident B only Claude Code + unofficial Base URL. Normal official endpoint users out of scope.
Q: Delete Claude Desktop injected browser files?
A: ~/Library/Application Support/<browser>/NativeMessagingHosts/, find and delete com.anthropic.claude_browser_extension.json; restart Claude Desktop may recreate.
Q: ANTHROPIC_BASE_URL fingerprint?
A: When Base URL points to unofficial proxy, Claude Code embeds different Unicode in system prompt date line per domain/keyword match as classification signal back to server.
Q: Still worry?
A: Claude Code 2.1.197+ without unofficial proxy — incident B fixed. Incident A Native Messaging: later opt-in switch but underlying model not eradicated per reports — self-audit.
Q: Keep trusting Anthropic?
A: Value judgment. Tech consensus: default distrust, evidence-first — reproducible, auditable, disable-able earns trust; vendors disclose not hide.
08 AI vendor overreach и наш response: conclusion
Real warning не «один apostrophe», а: model capabilities rocket ahead while security boundaries, authorization, audit lag — vendors cross trust lines unilaterally under «experience/anti-abuse». History repeats from PC/smartphone dawn, now on desktop AI agents.
Practical response: ① default distrust, evidence-first — reproducible, auditable, disable-able; ② demand disclosure not hiding — anti-distillation can be above-board; ③ least privilege + boundary isolation; ④ vote with feet + regulatory frame (GDPR). Tech has no stance, companies must — more capability demands more self-restraint; shouldn't be secrets users discover via binary reverse.
Для prod teams running Claude Code, OpenClaw gateway или self-hosted MCP Server в isolated env, pure local dev machine has three real gaps: home broadband jitter killing SSH/API long connections, laptop lid suspend hanging agent jobs, multi-dev shared env hard to audit permission boundaries. For stable AI agent automation prod, JEXCLOUD multi-region bare-metal Mac — dedicated Apple Silicon, 7×24 online, monthly elastic scale, 120s delivery: run heavy Claude Code on cloud Mac, local только interaction; separate network + timezone config for compliance isolation. Nodes and pricing: JEXCLOUD pricing page.