2026 NVDB
CLAUDE_CODE_
STEGANOGRAPHY_
REVERSE_ENG.
Вводная: Если вы запускаете Claude Code на Mac и версия попадает в диапазон v2.1.91–v2.1.196, немедленно выполните claude --version. 8 июля 2026 китайская платформа NVDB (MIIT) опубликовала предупреждение: в AI-инструменте Anthropic обнаружен встроенный механизм мониторинга с риском бэкдора — без согласия пользователя передаётся геолокация и идентификаторы. Ниже — полный reverse-engineering разбор: условие триггера ANTHROPIC_BASE_URL, XOR+Base64 blacklist из 147 доменов, стеганографический covert channel в system prompt, timezone Asia/Shanghai/Asia/Urumqi, ответы NVDB/Anthropic/Alibaba, 5+ шагов и FAQ×10.
TL;DR — технические факты
- ● NVDB 08.07.2026: v2.1.91–2.1.196, severe backdoor risk
- ● Trigger: только
ANTHROPIC_BASE_URL≠api.anthropic.com - ● Payload: мутация date separator + 3 Unicode apostrophe variants (~3 bit) в system prompt
- ● Blacklist: 147 hostname patterns, XOR key=91 → Base64,
stringsне извлекает - ● Fix: v2.1.197+ (silent removal); Alibaba ban 10.07 → Qoder
1. Почему это не обычная telemetry-дискуссия
- Shell-capable agent с файловой системой и exec — скрытый covert channel недопустим
- Zero changelog disclosure за ~3 месяца (~20 релизов)
- Obfuscation: domain list XOR(91)+Base64 — требует полного reverse binary
- Регуляторная квалификация NVDB как backdoor, не marketing
⚠️ Claude Code имеет легитимную telemetry (Datadog, OpenTelemetry) — это отдельный канал. Спор именно о стеганографии в system prompt, не о disclosed analytics.
2. Полный timeline с версиями
| Дата | Событие | Артефакт |
|---|---|---|
| Фев 2026 | Anthropic публично инвестирует в anti-distillation (classifiers, behavioral fingerprints) | blog/Senate context |
| Март 2026 | Covert detection deployed internally, zero disclosure | reverse-engineering consensus |
| 2026-04-02 | v2.1.91 — first shipped build with fingerprint logic | npm changelog |
| Апр–Июн | ~20 releases through v2.1.196, mechanism persists | Thereallo, Adnane Khan |
| 2026-06-29 | v2.1.196 last affected in NVDB range | changelog |
| 2026-06-30 | LegitMichel777 (Reddit), Thereallo (thereallo.dev), Adnane Khan GitHub — validates v2.1.193/195/196 | IOCs |
| 2026-07-01 | Thariq Shihipar (Claude Code engineer) on X: "experiment", rollback tomorrow | X post |
| 2026-07-02 | v2.1.197 (some cite v2.1.198) — steganography stripped, changelog silent | binary diff |
| 2026-07-03/04 | Reuters/TechCrunch: Alibaba ban from 10.07, switch Qoder | internal memo |
| 2026-07-08 | MIIT NVDB official advisory — severe backdoor risk | NVDB, CNBC, Register |
| 2026-07-10 | Alibaba ban effective: Claude Code + Sonnet/Opus/Fable | SCMP |
3. Trigger path: кто реально fingerprinted
Не universal surveillance. Код исполняется только при ANTHROPIC_BASE_URL routing away from api.anthropic.com — corporate LiteLLM/OpenRouter, API resellers, self-hosted proxies. Official endpoint users: code path never executes.
4. Reverse-engineering: механизм в 3 фазах
4.1 Environment reconnaissance
- Timezone probe:
Intl/process.env.TZ→ matchAsia/ShanghaiorAsia/Urumqi - Hostname blacklist: parse
ANTHROPIC_BASE_URL, compare against 147 obfuscated patterns
Независимо воспроизведено: LegitMichel777, Thereallo, Adnane Khan, Vincent Schmalbach. Targets: Alibaba/Ant/Baidu/ByteDance domains; AI lab keywords (deepseek, moonshot, zhipu, minimax, baichuan, stepfun, 01.ai); API relay gateways. Storage: Base64(XOR(plaintext, key=91)) — defeats casual strings extraction.
4.2 Steganographic encoding в system prompt
Не отдельный HTTP beacon — мутация строки даты в каждом запросе к модели:
| Condition | Date format | Apostrophe in "Today's" | Codepoint |
|---|---|---|---|
| Default (no match) | 2026-06-30 | ' | U+0027 |
| China-linked org/reseller domain | 2026-06-30 | ' right single quotation | U+2019 |
| AI-lab keyword (deepseek, moonshot, zhipu…) | 2026-06-30 | ʼ modifier letter apostrophe | U+02BC |
| Domain + lab keyword | 2026-06-30 | ʹ modifier letter prime | U+02B9 |
| + China timezone | 2026/06/30 (slash) | (as above) | +1 date-format bit |
Итого ~3 bits environment fingerprint в визуально идентичном English sentence. Adnane Khan: "a covert information channel embedded in system prompts" — классический steganography, не telemetry.
4.3 Version matrix и shell commands
| Категория | Версия | Дата | Статус |
|---|---|---|---|
| First affected | v2.1.91 | 2026-04-02 | fingerprint present |
| Last affected | v2.1.196 | 2026-06-29 | fingerprint present |
| Fix | v2.1.197 (some: v2.1.198) | 2026-07-01/02 | removed, changelog omits |
5. Ответы сторон
5.1 NVDB / MIIT
- Квалификация: security backdoor risk, severe threat
- Рекомендация: uninstall/upgrade, egress control, traffic monitoring на dev subnets
5.2 Anthropic / Thariq Shihipar
"This is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation. The team has landed stronger mitigations since then and we've actually been meaning to take this down for a while... this should be fully rolled back in tomorrow's release."
Senate Banking Committee letter: Alibaba Qwen ~25,000 fraudulent accounts, 28.8M interactions for distillation — motive, not justification for concealment.
5.3 Alibaba
- Internal notice: "back-door risks... high-risk software with security vulnerabilities"
- 10 июля 2026: ban Claude Code + Anthropic models → Qoder
5.4 Media framing table
| Source | Framing | Emphasis |
|---|---|---|
| NVDB | backdoor / severe threat | compliance, data exfil risk |
| CNBC/Reuters/CBS | security backdoor / monitoring | neutral relay + enterprise reaction |
| The Register | covert code / secret steganography | undisclosed updates accountability |
| Ars Technica | spyware-like tracking | trust crisis vs anti-surveillance brand |
| Cybernews | "a nothing burger" | overreaction; legit anti-distillation eng |
| Anthropic | experiment / anti-abuse | defensive purpose |
6. Background: US-China distillation war
- Anthropic blocks China-region access; circumvention via VPN + API relays — exactly what fingerprint logic targeted
- Feb 2026 PKU/CAS paper: distillation traces in Chinese LLMs
- Accusations: DeepSeek, Moonshot, MiniMax, Alibaba unauthorized use
- Claude Opus 4.8 self-identifying as Qwen/DeepSeek in tests
- Chinese enterprises accelerating domestic stacks: DeepSeek, Qwen, Kimi, Zhipu, MiniMax, Qoder
7. Fact-check (перед публикацией)
- ⚠️ Только non-official
ANTHROPIC_BASE_URLtriggers path - ⚠️ Fix version: v2.1.197 (some media v2.1.198) — recommend "2.1.197+"
- ⚠️ "Backdoor" = NVDB label; technical term = steganographic covert channel
- ⚠️ No confirmed mass data breach; plausible outcome = account bans for distillation suspects
- ⚠️ Release date variance 29 vs 30 June — cross-check Anthropic GitHub changelog
8. Runbook: 5+ шагов
8.1 Individual dev
claude --version— if 2.1.91–2.1.196, affectedecho $ANTHROPIC_BASE_URL— corporate gateways count- Upgrade to 2.1.197+ via npm or
claude update - Uninstall + purge
~/.claude*paths if policy requires - Isolate shell-capable agent from production secrets
- Track silent fixes — 2.1.197 removal omitted from changelog
8.2 Enterprise IT
- MDM inventory: dev laptops, CI runners, remote Mac build nodes
- Force-upgrade 2.1.197+ or block per policy
- Egress audit: firewall/Zscaler/VPC flow logs to non-approved AI endpoints
- Document all
ANTHROPIC_BASE_URLconfigs (LiteLLM/OpenRouter layers) - Evaluate alternatives: Qoder, Tongyi Lingma, Cursor with domestic models
9. FAQ ×10
Q1: Бэкдор?
v2.1.91–196: undisclosed steganography. NVDB: backdoor risk. Anthropic: experiment, removed v2.1.197.
Q2: Версии?
2.1.91 (04-02) — 2.1.196 (06-29). Upgrade 2.1.197+.
Q3: Official API?
Not affected.
Q4: Check version?
claude --version / npm list -g @anthropic-ai/claude-code
Q5: Uninstall?
Upgrade immediately; enterprises may additionally uninstall + egress audit.
Q6: Steganography?
Date separator + Unicode apostrophes U+0027/U+2019/U+02BC/U+02B9 in system prompt.
Q7: Alibaba ban?
High-risk classification, effective 10.07.2026, migrate Qoder.
Q8: Changelog?
Zero disclosure in affected versions; removal also omitted.
Q9: Safe now?
Code removed 2.1.197+; trust is organizational decision.
Q10: Distillation?
Anti-reseller/anti-distillation; 25K accounts, 28.8M interactions per Senate letter.
10. Disclaimer
На основе публичных отчётов NVDB, Anthropic statements и independent security research. Не является legal/security audit advice.
11. References
- CNBC, Register, Ars Technica, TechCrunch, Reuters (08.07.2026)
- Thereallo: Claude Code Is Steganographically Marking Requests
- Adnane Khan GitHub RE report; Vincent Schmalbach independent reproduction
- Thariq Shihipar X (01.07.2026); Anthropic Senate letter on Qwen distillation
12. Заключение: изолированный Mac-узел для high-privilege AI
Terminal AI agents = high-privilege software с covert channels, которых нет в changelog. Для изолированной разработки Claude Code: MACGPU remote Mac mini M4 — SSH tunnel, snapshot rollback, отделение production credentials от agent experiments.