跪拜 Guibai
← Back to the summary

Claude Code's Hidden Backdoor Is Just the Start of Its Undocumented Surveillance

On July 8, the Ministry of Industry and Information Technology's NVDB issued a risk alert: Claude Code has a security backdoor vulnerability with serious harm. Alibaba immediately followed up by announcing a company-wide ban on July 10.

It caused an uproar. Tech groups were flooded with questions: Can we still use it? Should we uninstall it?

I've been using CC for over half a year, routing through the DeepSeek API. The backdoor issue didn't actually surprise me much—someone on Reddit had already reverse-engineered it at the end of June. But what really surprised me was the other stuff I dug up following this trail. The backdoor is just the tip of the iceberg.

Let's start with the backdoor itself.

How CC Determines If You're a Chinese User

Reddit user LegitMichel777 reverse-engineered three layers of detection in v2.1.196, which had been present since v2.1.91:

Layer 1: Reads your system timezone. Is it Asia/Shanghai or Asia/Urumqi? Flagged.

Layer 2: Checks your API proxy address. CC has a built-in hardcoded blacklist of 147 domains—Baidu, Alibaba, ByteDance, Moonshot, MiniMax, DeepSeek, Zhipu, StepFun, all on it. Hit a match? Flagged.

Layer 3 is the slickest: The detection result isn't transmitted separately over the network. It's hidden in the system prompt—the date format quietly changes from 2026-06-30 to 2026/06/30, and the apostrophe in "Today's" switches between three visually identical Unicode characters. You can't see it, the AI can't see it, but Anthropic's server-side can parse it. Security researcher Adnane Khan (Thereallo) published a detailed reverse-engineering analysis.

The code was obfuscated with XOR key 91. Four months, no user notification. [1]

Anthropic team member Thariq Shihipar responded on X on July 1, saying this was an "experiment" started in March aimed at preventing account reselling and model distillation, and it was removed on July 2. The MIIT classified it as 'serious harm'—no argument there.

Note: The backdoor details above—timezone detection, 147-domain blacklist, Unicode steganography, XOR key 91—come from community reverse-engineering analysis. Anthropic has acknowledged the mechanism's existence but has not confirmed all implementation details.

But the Backdoor Isn't the Worst Part

There's a more insidious issue that Anthropic still hasn't addressed directly.

Since v2.1.36, Claude Code has been inserting a line x-anthropic-billing-header at the very beginning of the system prompt for every API request, containing a five-character hex field called cch.

Key point: The value of cch is different for every request.

Three rounds of conversation in the same session, cch goes 97bd624c2dead88 in sequence. [2]

Why does this matter? Anthropic's prompt caching relies on prefix matching. The system prompt is at the very front of the prefix. If cch changes every time, the prefix hash won't match, and the cache painstakingly built up from the previous round is rendered useless.

Anthropic's own server-side knows how to handle this, of course—the server sees this line and skips it, not affecting the cache. But all third-party proxies don't know. DeepSeek doesn't know. Bedrock doesn't know. Local vLLM doesn't know. They diligently treat this line as part of the system prompt body, making it a brand-new prefix every time, with a hit rate of zero.

There's something even more brutal: CC not only injects a new cch, it also performs a global find-and-replace across all historical messages, swapping the old cch value for the new one. If an old message happened to contain the previous cch string, it gets altered—the prefix is permanently damaged, unrecoverable. One user tested it: before the fix, resuming a session cost 56,296 tokens; after the fix, 32 tokens. A 1750x difference. [3]

This isn't a bug. This is deliberately making the experience on third-party APIs worse to push you back to Anthropic's official service.

The way to turn it off was reverse-engineered from the binary. An environment variable discovered by the community, with no official documentation:

CLAUDE_CODE_ATTRIBUTION_HEADER=0

Note: This environment variable comes from community reverse-engineering analysis, not official Anthropic documentation. Tested and effective on version 2.1.169; may not work on subsequent versions.

Digging Further

The backdoor and cache sabotage piqued my interest—just how much else has Anthropic not disclosed? After combing through a large number of GitHub issues and community reverse-engineering analyses, I found the following. These findings come from GitHub issues and community analysis; Anthropic has not proactively disclosed them:

1. It sends a heartbeat to Datadog every 3-9 seconds in the background. The target address is http-intake.logs.us5.datadoghq.com. Anthropic's official data usage documentation mentions Statsig and Sentry but says nothing about Datadog. Community reverse-engineering statistics count 1086 telemetry event types in version v2.1.169. [4]

2. If you disable telemetry, it degrades your performance. DISABLE_TELEMETRY=1 doesn't just stop reporting—it also disables experimental feature delivery. The result: cache TTL drops from 1 hour to 5 minutes, and some models you've paid for are silently blocked. Not a single hint in the documentation. [5]

3. WebFetch reports the domain you're visiting to Anthropic first. Before every web page fetch, CC stealthily requests claude.ai/api/web/domain_info?domain=xxx, telling the server which domain you're looking at. The way to turn it off is deeply hidden: add "skipWebFetchPreflight": true in settings.json. [6]

4. Used the /bug command? Your entire session is retained for 5 years. Code, file contents, bash output—sent verbatim to Anthropic. Even if you've selected "Don't use my data for training" in your privacy settings, this retention period is unaffected. Official documentation confirms the 5-year retention period. The community workaround is DISABLE_BUG_COMMAND=1.

Note: DISABLE_BUG_COMMAND=1 comes from community suggestions, not official Anthropic documentation. Same for VERCEL_PLUGIN_TELEMETRY=off.

5. The official Vercel plugin collects telemetry using hidden commands. The plugin silently injects prompts via the UserPromptSubmit hook, making the AI solicit telemetry authorization from you. You can't see these injected commands at all. Clicking "No" is useless—it only stops text collection; everything else runs as usual. Turn it off: VERCEL_PLUGIN_TELEMETRY=off. [7]

6. Pressing save in the editor = file contents potentially leaked to the model. CC's FileChanged notification mechanism injects the complete file contents into the model context when you save a file. This behavior bypasses all the protections you've set up—.gitignore is useless, rules in CLAUDE.md are useless, MCP hooks are useless. If .env is saved, it's leaked. This issue is documented in detail in a GitHub issue, and there is currently no official switch.

7. You paid for a subscription, but you can only use it in CC. Anthropic has added a hard oAuth token check on the server side. Pro/Max subscription tokens are outright rejected in third-party tools like OpenCode and Roo Code. The returned message is blunt: "this credential is only authorized for use with Claude Code". [8]

What I Did

After figuring all this out, I put together a set of environment variables. Add them to the env section of ~/.claude/settings.json, or directly to your shell profile:

# Data doesn't go to Anthropic
export ANTHROPIC_BASE_URL="https://api.deepseek.com/anthropic"

# Restore caching (community reverse-engineering discovery, not official documentation)
export CLAUDE_CODE_ATTRIBUTION_HEADER=0

# Disable reporting
export ANTHROPIC_TELEMETRY_DISABLED=1
export CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1

# Disable /bug (community suggestion)
export DISABLE_BUG_COMMAND=1

# Disable Vercel plugin telemetry (community suggestion)
export VERCEL_PLUGIN_TELEMETRY=off

# Don't chase the latest version
npm install -g @anthropic-ai/[email protected]

Add one more line to settings.json:

{ "skipWebFetchPreflight": true }

Regarding flag notes: Among the above environment variables, ANTHROPIC_TELEMETRY_DISABLED and CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC are confirmed by Anthropic's official documentation. CLAUDE_CODE_ATTRIBUTION_HEADER, DISABLE_BUG_COMMAND, VERCEL_PLUGIN_TELEMETRY come from community discoveries and require self-verification. skipWebFetchPreflight is a settings.json configuration item.

This configuration set was accumulated during my maintenance of claude-clean. claude-clean is a toolset I use myself; it hasn't been publicly released yet—partly because I'm assessing legal risks, and partly because if Anthropic takes notice, they might target it with countermeasures.

If You Really Don't Want the Hassle

There are other options.

Disclaimer: Pi mentioned below is a tool I'm currently using, and Reasonix is a reference project I've researched (its prefix-cache design is helpful for understanding CC's caching issues). ZCode, Qwen Code, and OpenCode are based solely on public information and short-term hands-on testing. No one paid me to promote any tool.

CC Reasonix ZCode Qwen Code Pi OpenCode
Backdoor Yes No No No No No
Open Source No MIT No Yes MIT Yes
Model Claude DeepSeek V4 GLM-5.2 Qwen3.7 50+ 75+
Caching Deliberately sabotaged Prefix optimized Normal Normal Normal Normal
Cost Pay-per-use API pay-per-use 3M/day free Bailian 70M Bring your own key Bring your own key
Form Factor TUI TUI+Desktop Desktop+TUI TUI TUI TUI+Desktop
Stability Stable Go version stable Occasional crashes ⚠️ Froze in testing Minimalist, stable Mature
Lock-in Severe DS exclusive None None None None

A few I've actually tried:

CC via DeepSeek is my current main driver. The toolchain is the most familiar, and I feel more at ease after configuring the settings above.

Reasonix is DeepSeek's own child, rewritten in Go. It's the only one that treats prefix-cache as a first-class citizen in its design. There are community reports of very high cache hit rates and significant cost savings on similar tasks. If DeepSeek is your main model, it's worth a try. (The "99.82%" and "$12 vs $61" figures in the text come from community sharing, not independent verification results.)

ZCode is Zhipu's product; the desktop app is well-made, and GLM-5.2 ranks second on Code Arena. The free tier offers 3 million tokens per day. Installable via npm.

Qwen Code is not great. It froze on the very first task I gave it after installation. Wait for a few versions.

Pi takes a minimalist approach, MIT license. Deliberately omits MCP, sub-agents, and permission pop-ups—if you want them, add your own TypeScript extensions. 50+ providers, switch freely. pi.dev. I'm currently using it, and the experience is good.

OpenCode is the open-source community's ace in the hole, 182K+ stars on GitHub. 75+ providers, TUI + desktop app. The most freedom.

Finally

The MIIT is right; the original CC shouldn't be trusted. But not using CC and not knowing what CC is doing are two different things.

Understanding where the data flows, where the trust boundaries lie, and which switches you can flip—that's far more important than the choice between uninstalling or continuing to use it.

I'm not advising you to uninstall. Whether you use it is your own business. But you should know.


Wen Gezi, building terminal agent tools and tinkering with AI security configurations. GitHub: gezi-wen

Comments

Top 1 of 2 from juejin.cn, machine-translated. The original thread is authoritative.

THERE_ARE_YOU

It's already like this and you still want to use CC. After all that effort to get the features working, there's no need to keep forcing it.

文歌子

True. I'm trying Pi as a replacement, and so far the experience has been pretty good. The high extensibility is quite interesting.