2026 NVDB
CLAUDE_CODE_
STEGANOGRAPHY_
REVERSE_ENG.

Claude Code терминал проверка версии предупреждение NVDB backdoor

Вводная: Если вы запускаете Claude Code на Mac и версия попадает в диапазон v2.1.91–v2.1.196, немедленно выполните claude --version. 8 июля 2026 китайская платформа NVDB (MIIT) опубликовала предупреждение: в AI-инструменте Anthropic обнаружен встроенный механизм мониторинга с риском бэкдора — без согласия пользователя передаётся геолокация и идентификаторы. Ниже — полный reverse-engineering разбор: условие триггера ANTHROPIC_BASE_URL, XOR+Base64 blacklist из 147 доменов, стеганографический covert channel в system prompt, timezone Asia/Shanghai/Asia/Urumqi, ответы NVDB/Anthropic/Alibaba, 5+ шагов и FAQ×10.

TL;DR — технические факты

  • NVDB 08.07.2026: v2.1.91–2.1.196, severe backdoor risk
  • Trigger: только ANTHROPIC_BASE_URLapi.anthropic.com
  • Payload: мутация date separator + 3 Unicode apostrophe variants (~3 bit) в system prompt
  • Blacklist: 147 hostname patterns, XOR key=91 → Base64, strings не извлекает
  • Fix: v2.1.197+ (silent removal); Alibaba ban 10.07 → Qoder

1. Почему это не обычная telemetry-дискуссия

  1. Shell-capable agent с файловой системой и exec — скрытый covert channel недопустим
  2. Zero changelog disclosure за ~3 месяца (~20 релизов)
  3. Obfuscation: domain list XOR(91)+Base64 — требует полного reverse binary
  4. Регуляторная квалификация NVDB как backdoor, не marketing

⚠️ Claude Code имеет легитимную telemetry (Datadog, OpenTelemetry) — это отдельный канал. Спор именно о стеганографии в system prompt, не о disclosed analytics.

2. Полный timeline с версиями

ДатаСобытиеАртефакт
Фев 2026Anthropic публично инвестирует в anti-distillation (classifiers, behavioral fingerprints)blog/Senate context
Март 2026Covert detection deployed internally, zero disclosurereverse-engineering consensus
2026-04-02v2.1.91 — first shipped build with fingerprint logicnpm changelog
Апр–Июн~20 releases through v2.1.196, mechanism persistsThereallo, Adnane Khan
2026-06-29v2.1.196 last affected in NVDB rangechangelog
2026-06-30LegitMichel777 (Reddit), Thereallo (thereallo.dev), Adnane Khan GitHub — validates v2.1.193/195/196IOCs
2026-07-01Thariq Shihipar (Claude Code engineer) on X: "experiment", rollback tomorrowX post
2026-07-02v2.1.197 (some cite v2.1.198) — steganography stripped, changelog silentbinary diff
2026-07-03/04Reuters/TechCrunch: Alibaba ban from 10.07, switch Qoderinternal memo
2026-07-08MIIT NVDB official advisory — severe backdoor riskNVDB, CNBC, Register
2026-07-10Alibaba ban effective: Claude Code + Sonnet/Opus/FableSCMP

3. Trigger path: кто реально fingerprinted

Не universal surveillance. Код исполняется только при ANTHROPIC_BASE_URL routing away from api.anthropic.com — corporate LiteLLM/OpenRouter, API resellers, self-hosted proxies. Official endpoint users: code path never executes.

4. Reverse-engineering: механизм в 3 фазах

4.1 Environment reconnaissance

  1. Timezone probe: Intl/process.env.TZ → match Asia/Shanghai or Asia/Urumqi
  2. Hostname blacklist: parse ANTHROPIC_BASE_URL, compare against 147 obfuscated patterns

Независимо воспроизведено: LegitMichel777, Thereallo, Adnane Khan, Vincent Schmalbach. Targets: Alibaba/Ant/Baidu/ByteDance domains; AI lab keywords (deepseek, moonshot, zhipu, minimax, baichuan, stepfun, 01.ai); API relay gateways. Storage: Base64(XOR(plaintext, key=91)) — defeats casual strings extraction.

4.2 Steganographic encoding в system prompt

Не отдельный HTTP beacon — мутация строки даты в каждом запросе к модели:

ConditionDate formatApostrophe in "Today's"Codepoint
Default (no match)2026-06-30'U+0027
China-linked org/reseller domain2026-06-30' right single quotationU+2019
AI-lab keyword (deepseek, moonshot, zhipu…)2026-06-30ʼ modifier letter apostropheU+02BC
Domain + lab keyword2026-06-30ʹ modifier letter primeU+02B9
+ China timezone2026/06/30 (slash)(as above)+1 date-format bit

Итого ~3 bits environment fingerprint в визуально идентичном English sentence. Adnane Khan: "a covert information channel embedded in system prompts" — классический steganography, не telemetry.

4.3 Version matrix и shell commands

КатегорияВерсияДатаСтатус
First affectedv2.1.912026-04-02fingerprint present
Last affectedv2.1.1962026-06-29fingerprint present
Fixv2.1.197 (some: v2.1.198)2026-07-01/02removed, changelog omits
# Version check claude --version # Trigger condition probe echo "ANTHROPIC_BASE_URL=${ANTHROPIC_BASE_URL:-api.anthropic.com (default)}" # Upgrade npm install -g @anthropic-ai/claude-code@latest claude update # Full uninstall + artifact cleanup (macOS/Linux) npm uninstall -g @anthropic-ai/claude-code rm -rf ~/.claude ~/.claude.json ~/.cache/claude-code ~/.config/claude-code # Windows # %USERPROFILE%\.claude, %USERPROFILE%\.claude.json, cache dirs

5. Ответы сторон

5.1 NVDB / MIIT

  • Квалификация: security backdoor risk, severe threat
  • Рекомендация: uninstall/upgrade, egress control, traffic monitoring на dev subnets

5.2 Anthropic / Thariq Shihipar

"This is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation. The team has landed stronger mitigations since then and we've actually been meaning to take this down for a while... this should be fully rolled back in tomorrow's release."

Senate Banking Committee letter: Alibaba Qwen ~25,000 fraudulent accounts, 28.8M interactions for distillation — motive, not justification for concealment.

5.3 Alibaba

  • Internal notice: "back-door risks... high-risk software with security vulnerabilities"
  • 10 июля 2026: ban Claude Code + Anthropic models → Qoder

5.4 Media framing table

SourceFramingEmphasis
NVDBbackdoor / severe threatcompliance, data exfil risk
CNBC/Reuters/CBSsecurity backdoor / monitoringneutral relay + enterprise reaction
The Registercovert code / secret steganographyundisclosed updates accountability
Ars Technicaspyware-like trackingtrust crisis vs anti-surveillance brand
Cybernews"a nothing burger"overreaction; legit anti-distillation eng
Anthropicexperiment / anti-abusedefensive purpose

6. Background: US-China distillation war

  • Anthropic blocks China-region access; circumvention via VPN + API relays — exactly what fingerprint logic targeted
  • Feb 2026 PKU/CAS paper: distillation traces in Chinese LLMs
  • Accusations: DeepSeek, Moonshot, MiniMax, Alibaba unauthorized use
  • Claude Opus 4.8 self-identifying as Qwen/DeepSeek in tests
  • Chinese enterprises accelerating domestic stacks: DeepSeek, Qwen, Kimi, Zhipu, MiniMax, Qoder

7. Fact-check (перед публикацией)

  1. ⚠️ Только non-official ANTHROPIC_BASE_URL triggers path
  2. ⚠️ Fix version: v2.1.197 (some media v2.1.198) — recommend "2.1.197+"
  3. ⚠️ "Backdoor" = NVDB label; technical term = steganographic covert channel
  4. ⚠️ No confirmed mass data breach; plausible outcome = account bans for distillation suspects
  5. ⚠️ Release date variance 29 vs 30 June — cross-check Anthropic GitHub changelog

8. Runbook: 5+ шагов

8.1 Individual dev

  1. claude --version — if 2.1.91–2.1.196, affected
  2. echo $ANTHROPIC_BASE_URL — corporate gateways count
  3. Upgrade to 2.1.197+ via npm or claude update
  4. Uninstall + purge ~/.claude* paths if policy requires
  5. Isolate shell-capable agent from production secrets
  6. Track silent fixes — 2.1.197 removal omitted from changelog

8.2 Enterprise IT

  1. MDM inventory: dev laptops, CI runners, remote Mac build nodes
  2. Force-upgrade 2.1.197+ or block per policy
  3. Egress audit: firewall/Zscaler/VPC flow logs to non-approved AI endpoints
  4. Document all ANTHROPIC_BASE_URL configs (LiteLLM/OpenRouter layers)
  5. Evaluate alternatives: Qoder, Tongyi Lingma, Cursor with domestic models

9. FAQ ×10

Q1: Бэкдор?

v2.1.91–196: undisclosed steganography. NVDB: backdoor risk. Anthropic: experiment, removed v2.1.197.

Q2: Версии?

2.1.91 (04-02) — 2.1.196 (06-29). Upgrade 2.1.197+.

Q3: Official API?

Not affected.

Q4: Check version?

claude --version / npm list -g @anthropic-ai/claude-code

Q5: Uninstall?

Upgrade immediately; enterprises may additionally uninstall + egress audit.

Q6: Steganography?

Date separator + Unicode apostrophes U+0027/U+2019/U+02BC/U+02B9 in system prompt.

Q7: Alibaba ban?

High-risk classification, effective 10.07.2026, migrate Qoder.

Q8: Changelog?

Zero disclosure in affected versions; removal also omitted.

Q9: Safe now?

Code removed 2.1.197+; trust is organizational decision.

Q10: Distillation?

Anti-reseller/anti-distillation; 25K accounts, 28.8M interactions per Senate letter.

10. Disclaimer

На основе публичных отчётов NVDB, Anthropic statements и independent security research. Не является legal/security audit advice.

11. References

  • CNBC, Register, Ars Technica, TechCrunch, Reuters (08.07.2026)
  • Thereallo: Claude Code Is Steganographically Marking Requests
  • Adnane Khan GitHub RE report; Vincent Schmalbach independent reproduction
  • Thariq Shihipar X (01.07.2026); Anthropic Senate letter on Qwen distillation

12. Заключение: изолированный Mac-узел для high-privilege AI

Terminal AI agents = high-privilege software с covert channels, которых нет в changelog. Для изолированной разработки Claude Code: MACGPU remote Mac mini M4 — SSH tunnel, snapshot rollback, отделение production credentials от agent experiments.