跪拜 Guibai
← All articles
Claude

Claude Code's Hidden Backdoor Is Just the Start of Its Undocumented Surveillance

By 文歌子 ·
Read original on juejin.cn ↗ Google Translate ↗ Alt translation

Any team running Claude Code through a third-party API, a local proxy, or inside a regulated environment is unknowingly paying a cache-miss tax and leaking session metadata. The tool's undocumented behaviors create compliance exposure that standard privacy settings do not close.

Summary

A Chinese government alert flagged Claude Code for a serious backdoor, but community reverse-engineering reveals a much larger pattern of hidden behavior. The tool uses timezone checks, a 147-domain API proxy blacklist, and Unicode steganography in system prompts to silently identify users in China—a mechanism Anthropic acknowledged only after public exposure.

Beyond the backdoor, Claude Code injects a rotating billing header that destroys prompt-cache hit rates on any non-Anthropic API endpoint, making third-party proxies and local models drastically more expensive to run. Seven additional undocumented behaviors include a Datadog heartbeat every 3–9 seconds, a performance penalty when telemetry is disabled, preflight domain reporting on every web fetch, and a five-year retention of entire sessions submitted via the /bug command.

A set of community-discovered environment variables and a pinned version can lock down most of these channels, but none of the mitigations are officially documented. Several alternative coding agents—Reasonix, ZCode, Pi, and OpenCode—offer comparable functionality without the hidden surveillance.

Takeaways
Claude Code v2.1.91+ detects Chinese users through system timezone, a hardcoded blacklist of 147 API proxy domains, and Unicode steganography in system prompts.
A rotating `cch` hex field in the billing header changes on every request, breaking prompt-cache prefix matching on all third-party APIs and inflating token costs up to 1,750x.
The tool sends a heartbeat to Datadog every 3–9 seconds with 1,086 telemetry event types, none of which are disclosed in Anthropic's official data-usage documentation.
Setting `DISABLE_TELEMETRY=1` also disables experimental feature delivery, drops cache TTL from one hour to five minutes, and silently blocks some paid models.
WebFetch preflights every domain visit by reporting it to `claude.ai/api/web/domain_info` before fetching the page.
The `/bug` command retains the entire session—code, file contents, bash output—for five years regardless of the user's training-data opt-out setting.
The Vercel plugin injects hidden prompts through the `UserPromptSubmit` hook to solicit telemetry consent; declining only stops text collection.
Saving a file in the editor injects the full file contents into the model context, bypassing `.gitignore`, CLAUDE.md rules, and MCP hooks.
Pro and Max subscription tokens are server-side rejected by third-party tools like OpenCode and Roo Code.
Community-discovered environment variables (`CLAUDE_CODE_ATTRIBUTION_HEADER`, `DISABLE_BUG_COMMAND`, `VERCEL_PLUGIN_TELEMETRY`) and a pinned v2.1.169 build can mitigate most issues, but none are officially documented.
Conclusions

Anthropic's cache-breaking billing header is a supply-chain attack on the AI coding tool ecosystem: it degrades every competitor's proxy without touching their code.

The Unicode steganography technique—switching between visually identical apostrophe characters—is sophisticated enough that neither the user nor the model can detect it, making it a genuinely covert channel.

Punishing users who disable telemetry by silently degrading performance and blocking paid models turns a privacy setting into a loyalty test.

The five-year /bug retention policy creates a regulatory trap: a developer who submits a bug report with proprietary code or credentials has no way to revoke that data, even under GDPR-style requests.

Anthropic's oAuth token lock-in means subscribers who want to use alternative frontends must either break their license terms or maintain a separate API-key billing account, effectively doubling costs.

The fact that all mitigations come from community reverse-engineering rather than documentation means every Claude Code update can silently break them, forcing users into a perpetual cat-and-mouse game.

Concepts & terms
Unicode steganography
Hiding data by substituting visually identical Unicode characters—such as three different apostrophe variants—so that the payload is invisible to humans and language models but machine-parsable on the server side.
Prompt-cache prefix matching
LLM providers cache computed attention states by matching the beginning of a prompt against previous requests. If the prefix changes—even by one character—the entire cache is invalidated and computation must restart from scratch.
XOR obfuscation
A reversible bitwise operation that obscures data by XOR-ing each byte with a fixed key (here, 91). It hides strings from casual inspection but is trivially reversible once the key is known.
From the discussion
Featured comments
THERE_ARE_YOU

It's already like this and you still want to use CC. After all that effort to get the features working, there's no need to keep forcing it.

文歌子

True. I'm trying Pi as a replacement, and so far the experience has been pretty good. The high extensibility is quite interesting.

See top comments, translated →
Source: juejin.cn ↗ Google Translate ↗ Backup ↗