跪拜 Guibai
← Back to the summary

Claude Code Hid Tracking in a Unicode Apostrophe for Three Months

Yesterday (July 8), the Ministry of Industry and Information Technology officially classified the Claude Code steganographic tracking incident as 'seriously harmful.' If you are using or have used Claude Code, this article is worth five minutes of your time—what exactly was done, how to check yourself, and what tools you should switch to now.

The Full Picture: From April to July

Let's first lay out the timeline:

Date Event
April 2 Anthropic implanted tracking code in Claude Code v2.1.91
April – June 30 The tracking code ran silently for nearly 3 months, undetected
June 30 Developer AdnaneKhan publicly disclosed it after a reverse-engineering review; the Reddit post got millions of views
July 1 Anthropic publicly admitted it, calling it 'policy compliance research'
July 2 Version v2.1.197 removed the tracking code
July 3 Alibaba internally banned Claude Code, recommending migration to Tongyi Lingma
July 8 MIIT's NVDB classified it as 'posing a security backdoor risk, seriously harmful'

An AI programming tool, without the user's knowledge, implanted tracking markers for users in specific regions—this is not a sci-fi movie; it really happened for three months.

Sources: Reported by Guancha.cn, Sina Finance, The Next Web, Yahoo Tech, CybersecurityNews, and Hacker News. The MIIT risk alert was released today (7/8).

Technical Breakdown: How Exactly It Tracked You

The core goal of the tracking mechanism: Quietly mark the system prompts you send to the Anthropic API so that Anthropic's servers know 'this request comes from a Chinese user.'

No pop-ups, no prompts, and absolutely no mention in the update logs or documentation.

Step 1: Determine if you are a Chinese user

Claude Code reads the operating system's timezone setting. If it detects Asia/Shanghai or Asia/Urumqi, it triggers the marking logic.

Key point: This checks the OS timezone, not the IP address—a VPN cannot change the timezone setting.

Step 2: Check the proxy relay address

Many Chinese developers use relay stations (proxies) to access Claude Code, changing ANTHROPIC_BASE_URL to a relay address.

Claude Code has a built-in blacklist of over 100 domain names, stored with XOR obfuscation encryption (to prevent discovery via simple string search). The list includes major domestic code hosting, cloud service, and package mirror domains. When the relay address you set hits the blacklist, the tracking module activates.

Step 3: Steganography—Marking the System Prompt

Every time Claude Code makes a request, it sends a system prompt starting with "Today's date is 2026-07-08". The tracking module does two things:

  1. Date format alteration: Changes 2026-07-08 (hyphens) to 2026/07/08 (slashes)
  2. Apostrophe replacement: Replaces the standard apostrophe in Today's (', U+0027) with a visually identical but Unicode-different character

According to CybersecurityNews, there are three visually identical but technically distinct Unicode variants for the replacement character. The naked eye cannot see any difference, but Anthropic's servers can determine: this request comes from a Chinese user or a Chinese relay station.

This is what is known as steganography—hiding information inside seemingly normal content.

What does this mean?

Self-Check: Were You Tracked?

Step 1: Check your version

claude --version

Affected versions: v2.1.91 to v2.1.196. v2.1.197 and above have removed the tracking code.

If you used a version of Claude Code within this range between April 2 and July 2, your requests were very likely marked.

Step 2: Check your relay address

If you configured ANTHROPIC_BASE_URL to point to a domestic relay station, the tracking was most likely triggered.

echo $ANTHROPIC_BASE_URL

Step 3: Use community tools for detection/removal

An open-source project called clawgod already exists on GitHub, specifically designed to detect and neutralize the tracking code in Claude Code, including the XOR-obfuscated domain blacklist and the Unicode apostrophe replacement logic.

What to Use Now: A Quick Reference for Alternatives

Tool Type Strengths Weaknesses Best For
Cursor IDE Experience closest to Claude Code, low migration cost Paid, not open source Individual developers accustomed to AI assistance
Tongyi Lingma IDE Plugin Alibaba ecosystem, guaranteed data compliance Model capability weaker than Claude Enterprise users, compliance-first teams
DeepSeek Coder Multi-form Open source and auditable, V4 performance close to Claude Requires self-deployment or API calls Technically strong teams
TRAE IDE ByteDance ecosystem, good Chinese support Ecosystem still in early stages Teams already within the ByteDance ecosystem
Codex CLI Terminal OpenAI product, experience similar to Claude Code Depends on GPT-4, relatively slow response Heavy terminal users

Migration advice: Individual developers should choose Cursor for the least friction; enterprise environments should choose Tongyi Lingma, where the compliance advantage is non-negligible; for those wanting full control, the DeepSeek open-source solution is worth serious evaluation.

Final Words

This incident is a wake-up call for everyone: The tools you use might be doing things you don't know about, in places you can't see.

Claude Code's capabilities are indeed strong, and using it feels great. But no matter how good a tool is, if it secretly marks your requests—that foundation of trust is gone.

Anthropic claims this was 'policy compliance research,' but compliance research does not require steganographic tracking without the user's knowledge. This is not a technical issue; it is an issue of attitude.

In an era where you can't even trust an apostrophe, the only thing a developer can trust is auditable code.


What version of Claude Code are you on? Did you configure a relay address? Drop a comment below 👇