Pulse

Security / Jul 1, 2026 / 5 min

Claude Code Hid Spyware in Your Date Line

On June 30, a developer reverse-engineered Claude Code and found three months of hidden steganography fingerprinting China-linked API routes — the same week Anthropic asked Congress to punish Alibaba for 28.8 million distillation queries and Sacramento signed a statewide Claude contract.

Thesis Anthropic just proved the company preaching AI safety will ship covert client-side surveillance in the tool with shell access on your laptop — and the rollback landed in a changelog that never mentioned it.

On June 30, Reddit user LegitMichel777 reverse-engineered Claude Code and exposed three months of covert fingerprinting — hidden logic that read your timezone and custom API proxy, then encoded the results inside the "Today's date is" system prompt using invisible Unicode apostrophes Anthropic's servers could parse but users could not see. Anthropic engineer Thariq Shihipar called it a March experiment against distillation; version 2.1.197 shipped July 1 with no changelog mention of the removal.

What's new:

  • LegitMichel777's June 30 r/ClaudeAI post triggered a global backlash after he found obfuscated detection code in Claude Code builds from version 2.1.91 onward, first published April 2, 2026.
  • THE DECODER and independent analyst Vincent Schmalbach confirmed the mechanism: when ANTHROPIC_BASE_URL points anywhere except api.anthropic.com, the client classifies the route against encrypted lists of China-linked domains and AI-lab hostnames.
  • The client also checks whether the system timezone is Asia/Shanghai or Asia/Urumqi.
  • Results get embedded via steganography — swapping date separators (2026-06-30 vs 2026/06/30) and substituting visually identical Unicode apostrophes in "Today's date is."
  • LegitMichel777: covert transmission of proxy and system data without consent is "a fundamental violation of user trust."

How it worked:

  • The fingerprinting pipeline activates only on custom API routing — corporate gateways, third-party Claude proxies, and unofficial access layers common where Anthropic does not sell models directly.
  • Schmalbach's binary analysis decoded a 147-entry domain blocklist, XOR-obfuscated with key 91, spanning .cn TLDs, Chinese cloud providers, and Claude-router endpoints.
  • Release notes for v2.1.91 disclosed none of it.
  • Critics note the check is trivial for skilled attackers to spoof — timezone and hostname edits bypass the marker while legitimate corporate proxies on China-linked infrastructure get flagged.

Anthropic's response:

  • Claude Code engineer Thariq Shihipar replied on X July 1: "this is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation."
  • Shihipar: "The team has landed stronger mitigations since then and we've actually been meaning to take this down for a while."
  • He said a merged pull request would roll the code back in "tomorrow's release" — version 2.1.197, published to npm early July 1.
  • GitHub's official v2.1.197 changelog mentions only Claude Sonnet 5 as the default model. It does not confirm the steganographic code's removal.

The distillation context:

  • Anthropic does not offer Claude in China. Developers there routinely access it through foreign accounts and proxy routers.
  • In a June 10 Senate Banking Committee letter, Anthropic accused Alibaba's Qwen lab of running 28.8 million fraudulent Claude exchanges through roughly 25,000 fake accounts between April 22 and June 5 — what it called the largest known distillation attack.
  • CNBC confirmed the letter. Anthropic urged Congress to penalize Chinese labs and tighten chip export loopholes.
  • Meta banned its own engineers from Claude Code on June 29 over distillation fears — a ban aimed at rivals, not Anthropic's own client.

Why July 1 matters:

  • Commerce lifted export controls on Claude Fable 5 the same morning Fable returned globally — restoring the guardrailed model Sacramento just bought for every California agency at half price.
  • Tenet Security's June 17 agentjacking disclosure already showed Claude Code will run attacker code from poisoned telemetry.
  • This episode adds a second trust failure: the vendor itself hid surveillance inside the agent's context window.

Convina's view: Anthropic spent June demanding Washington punish distillation and gate frontier models behind guest lists — then got caught fingerprinting developers through the apostrophe in a date stamp. Shihipar's "experiment" framing does not survive contact with a CLI that has filesystem and shell access on machines holding production credentials. If the rollback is real, say so in the changelog. If covert client telemetry is the new normal for frontier labs fighting Chinese extraction, disclose it before California signs the statewide contract — because the agent on your laptop is now a bigger sovereignty battleground than the model behind the API.

Research Signals

https://the-decoder.com/hidden-code-in-claude-code-secretly-flagged-chinese-users/ https://cybernews.com/ai-news/claude-code-steganography-china-users/ https://www.vincentschmalbach.com/claude-code-china-router-fingerprint/ https://www.techtimes.com/articles/319415/20260701/claude-code-hid-proxy-fingerprints-system-prompts-anthropic-promises-fix.htm https://cybersecuritynews.com/anthropic-claude-hidden-code/ https://github.com/anthropics/claude-code/releases/tag/v2.1.197 https://www.cnbc.com/2026/06/24/anthropic-alibaba-distillation-campaign.html