2026 CLAUDE
CODE_
HIDDEN_
UNICODE.
TL;DR: In late June 2026, a developer reverse-engineering Claude Code (not the Claude web app) found that when you route it through a custom proxy (ANTHROPIC_BASE_URL ≠ api.anthropic.com), it quietly rewrites the Today's date is... line of its system prompt. By switching the date separator and swapping the apostrophe for visually identical but different Unicode characters, it encodes whether you're in a China timezone and whether your endpoint matches China-linked domains or AI-lab keywords. Anthropic removed the code in version 2.1.197. The likely goal was anti-distillation, but the problem is the method: invisible, obfuscated, and undisclosed. This post separates two distinct incidents, provides the Unicode mapping table, HN debate, a 5-step protection checklist, and FAQ.
1. Pain Points: Two Separate Incidents — Don't Conflate Them
This blew up as two distinct but related stories stacked together. Conflating them will get you called out on HN and hurt E-E-A-T. Separate them before you publish:
| Dimension | Incident A: Silent Browser Injection | Incident B: System Prompt Steganography |
|---|---|---|
| Product | Claude Desktop (macOS client) | Claude Code (CLI coding tool) |
| Discloser | Alexander Hanff (privacy consultant, The Register contributor) | Developer reverse-engineering binary, published on thereallo.dev, amplified via Reddit → HN |
| Timeline | April 2026 (~4/18 onward) | June 30, 2026 |
| Core behavior | Silently writes com.anthropic.claude_browser_extension.json into Chrome/Edge/Brave/Arc etc., pre-authorizing 3 extension IDs to call chrome-native-host outside the browser sandbox; creates dirs even for uninstalled browsers; regenerates after deletion | When ANTHROPIC_BASE_URL is non-official, rewrites the Today's date is... line via steganography |
| Labels applied | "spyware" / "backdoor" | "prompt steganography" / "covert channel" |
| Trigger | Install/start Claude Desktop | Only when non-official Base URL is set; not every conversation |
| Anthropic response | No formal public response; later versions added consent toggle | Acknowledged code existed; removed in 2.1.197 on 7/1, changelog silent |
Independent consultant Noah Kenney (Digital 520) confirmed Hanff's claims are reproducible. Antiy Labs published a dedicated risk analysis of Claude Desktop's high-privilege browser channel. The HN thread on Incident B hit the front page within hours — 350+ points, 100+ comments — splitting the community between "reasonable anti-distillation defense" and "malware-adjacent behavior for a dev tool."
2. Timeline: What Actually Happened
| Date | Event | Version / Source |
|---|---|---|
| 2026-04-18+ | Hanff discloses Claude Desktop silent Native Messaging injection | The Register, Malwarebytes, gHacks |
| 2026-06-30 | Developer reverse-engineers Claude Code, finds prompt steganography | thereallo.dev → Reddit → HN |
| 2026-06-30 | Verified in versions 2.1.193 / 2.1.195 / 2.1.196 | thereallo.dev |
| 2026-07-01 | Anthropic ships 2.1.197 removing the code | TechTimes, Developers Digest (changelog omits mention) |
3. How the Fingerprint Works: Unicode Mapping Table
Key precondition: it only triggers when ANTHROPIC_BASE_URL points somewhere other than api.anthropic.com (proxy, gateway, reseller, OpenAI-compatible layer). Official endpoint = no alteration.
When triggered, two signals hide inside the innocent Today's date is ... line:
- Date separator: if timezone is
Asia/ShanghaiorAsia/Urumqi,2026-06-30becomes2026/06/30. - Apostrophe swap: the apostrophe in
Today'sis replaced with a look-alike Unicode variant encoding what was matched.
| Detected condition | Date | Apostrophe | Unicode |
|---|---|---|---|
| Default (no match) | 2026-06-30 | ' ASCII apostrophe | U+0027 |
| China-linked org/reseller domain | 2026-06-30 | ' right single quote | U+2019 |
| AI-lab keyword (deepseek, moonshot, zhipu…) | 2026-06-30 | ʼ modifier letter apostrophe | U+02BC |
| Both domain and lab | 2026-06-30 | ʹ modifier letter prime | U+02B9 |
| + China timezone | 2026/06/30 | (as above) | — |
Domain/keyword lists are obfuscated with base64 + XOR (key 91) — roughly 147 domain patterns. To a human, the prompt looks ordinary. To Anthropic's backend, one apostrophe's code point reveals: "This user is behind a VPN but actually in a China timezone — possibly a Chinese AI lab."
4. Why Did Anthropic Do This? Intent vs. Method
Community consensus is measured: this was almost certainly anti-distillation and anti-unauthorized-reselling. Anthropic, OpenAI, and Google have all publicly worried about competitors harvesting API outputs to train smaller models. China-linked resellers, proxies, and labs are prime suspects.
The intent is defensible; the method is not. Turning a classification signal into invisible punctuation, obfuscating it in the binary, and shipping it on every request — inside a developer tool that lives and dies on trust — crosses a line. HN split hard:
- Defense camp: "Reasonable anti-distillation — less invasive than logging your code."
- Opposition camp: "Malware-adjacent for a dev tool with filesystem + shell access and undisclosed telemetry."
Use "alleged" / "according to the reverse-engineering report" throughout. Separate the goal (anti-distillation) from the means (steganography).
5. Is It Actually Spyware?
"Spyware" is a loaded word. More precisely:
- Incident A is closer to unauthorized tampering with third-party software + a dormant, pre-positioned attack surface. Anthropic's own numbers put Claude for Chrome prompt-injection success at 23.6% (unmitigated) / 11.2% (mitigated).
- Incident B is closer to undisclosed telemetry / covert user classification.
Whatever label you use, the core issue is the same: no informed consent, deliberately hidden. Legitimate LiteLLM gateways and corporate proxies trigger Incident B — the classifier cannot distinguish a shady reseller from an internal dev tool by hostname alone.
6. Five-Step Checklist: How to Check and Protect Yourself
- Check ANTHROPIC_BASE_URL: if unset or pointing to the official endpoint, Incident B does not trigger. LiteLLM/OpenRouter/corporate gateways were classified (pre-2.1.197).
- Upgrade Claude Code to 2.1.197+: Anthropic removed the steganography, but the changelog omits it — keep upgrade records.
- macOS: inspect Native Messaging manifests at
~/Library/Application Support/<browser>/NativeMessagingHosts/com.anthropic.claude_browser_extension.json. Delete as needed; Claude Desktop may recreate them. - Check timezone:
Asia/Shanghai/Asia/Urumqiadds the date-separator signal (Incident B + proxy only). - Enterprise/sensitive environments: treat desktop agents as high-privilege programs — least privilege, explicit authorization, auditable behavior.
7. Deep Dive: Desktop AI Agents Are Replaying Early PC/Smartphone Security Mistakes
The real lesson isn't "an apostrophe." When model capability races ahead while security boundaries, consent, and auditability lag behind, vendors keep crossing the trust boundary in the name of "UX" or "abuse prevention."
We've seen this before — preinstalled PC bloatware, early smartphone permission abuse — and it's replaying on desktop AI agents. Claude Desktop pre-positioning Native Messaging channels + Claude Code steganographic fingerprints paints a picture: high-privilege local programs + undisclosed classification signals as defaults, not opt-ins.
What we can actually do:
- Default to distrust; demand evidence. Reproducible, auditable, switchable-off is the bar for trust.
- Disclosure over concealment. Fight distillation in the open — document it, ship a toggle — not buried in punctuation.
- Least privilege + isolation. Run Claude Code on an isolated remote Mac node as a viable architecture choice.
- Vote with your feet, back it with regulation. GDPR-style law and market choice are the ultimate check.
Technology can be neutral; a company can't. The more capable the model, the more the vendor must constrain itself — and that shouldn't be a secret you only find by reverse-engineering a binary.
8. FAQ
Q: Is Claude Code spyware?
A: Not in the classic sense, but it embedded an undisclosed, obfuscated fingerprint in system prompts. Removed in 2.1.197. Best described as an undisclosed covert channel.
Q: Does Claude Code track my timezone?
A: It checked Asia/Shanghai / Asia/Urumqi — but only with a non-default ANTHROPIC_BASE_URL. Official endpoint users were unaffected.
Q: What is the apostrophe / Unicode trick?
A: The apostrophe in "Today's" swapped between U+0027, U+2019, U+02BC, and U+02B9 to encode domain match, AI-lab keyword match, both, or neither.
Q: Why did Anthropic add this?
A: Most likely anti-distillation and unauthorized reselling detection — legitimate goal, illegitimate implementation.
Q: Is this the same as Claude Desktop spyware?
A: No. Incident A (April) was Desktop silently writing browser Native Messaging manifests. Incident B (June 30) is Code prompt steganography — different products.
Q: Are regular Claude web users affected?
A: Incident B only affects Claude Code users routing through a custom proxy. Official endpoint users are unaffected.
Q: How to remove Claude Desktop browser injection files?
A: Delete com.anthropic.claude_browser_extension.json under each browser's NativeMessagingHosts folder. Claude Desktop may recreate it on restart.
Q: What is ANTHROPIC_BASE_URL fingerprinting?
A: When the hostname ≠ api.anthropic.com, the client matches ~147 obfuscated domain rules and AI-lab keywords, encoding results in the system prompt date line.
9. Sources
- The Register: Claude Desktop changes software permissions without consent (April 2026)
- Malwarebytes / gHacks / YOOTA: Claude Desktop native messaging coverage
- thereallo.dev: Claude Code prompt steganography (original reverse engineering)
- Tech Startups / TMC Insight / Developers Digest / TechTimes: Incident B coverage and 2.1.197 fix
- Antiy Labs: Claude Desktop high-privilege browser channel risk analysis
10. Closing: High-Privilege AI Agents Deserve Isolated Mac Nodes
The Claude Code and Claude Desktop incidents show that desktop AI agents are already high-privilege programs — filesystem, shell, and out-of-sandbox browser channels all exposed when run bare-metal on your laptop. Windows/Linux cloud VMs can call Claude APIs, but fall short on terminal toolchain integration, Xcode/Cursor synergy, and Native Messaging audit trails compared to Apple Silicon Macs. If you need an isolated Claude Code runtime with snapshot rollback and least-privilege auditing, consider a MACGPU remote Mac node: run Claude Code / OpenClaw on a dedicated rental Mac, tunnel from your laptop via SSH — turning "a secret apostrophe" into a manageable architecture decision instead of passive vendor overreach.