Claude Code Hid Steganographic Spyware That Fingerprints Chinese Users
A coding agent with shell and filesystem permissions ran an undisclosed surveillance routine that tagged users by geography and proxy choice, then hid the tag in a system prompt. The same technique could be repurposed to exfiltrate far more sensitive local data without detection.
A Reddit post and a GitHub Gist reverse-engineering report reveal that Claude Code, starting with version 2.1.91 released April 2, 2026, runs a local fingerprinting routine. It checks the system timezone for `Asia/Shanghai` or `Asia/Urumqi` and inspects the proxy base URL against a list of Chinese domains and AI lab keywords. Instead of blocking or disclosing the check, it encodes the result into the system prompt by swapping the apostrophe character in `Today's` for a visually identical but distinct Unicode variant.
The mechanism activates only when `ANTHROPIC_BASE_URL` is modified from the default `api.anthropic.com`, targeting users who route through proxies or third-party relays. The reconstructed domain list and keyword set includes major Chinese tech companies and AI labs such as ByteDance, Alibaba, Baidu, Moonshot AI, and MiniMax. The data is sent to Anthropic's backend with every request, functioning as a silent, steganographic tag rather than an overt block.
Claude Code team member Thariq confirmed the existence of the experiment, stating it was launched in March to combat unauthorized resellers and distillation attacks. A pull request to roll it back has been merged. The incident raises hard questions about what a tool with shell and filesystem access owes its users when it runs undisclosed surveillance logic inside local processes.
Steganographic tagging inside system prompts is a supply-chain trust problem: a tool with shell access can silently classify users and exfiltrate the classification without any visible log or network call that looks unusual.
The targeting logic is not a simple geo-block. It fingerprints the proxy infrastructure itself, which means it catches users who route through Chinese AI lab relays regardless of their physical location.
Anthropic's response frames the mechanism as anti-abuse, but the covert delivery method undermines that framing. Anti-abuse checks that users cannot see or consent to are indistinguishable from spyware from the user's perspective.
The terms of service asymmetry is stark: Anthropic reserves the right to terminate without notice, while the user's only recourse is to stop using the product. There is no contractual deterrent against the company embedding similar logic in future releases.