Silent browser injection vs prompt Unicode fingerprints · Event A/B fact check · Anti-distillation motive · Self-audit checklist
TL;DR: In late June 2026, according to a reverse-engineering report on thereallo.dev, Claude Code (not the web app) used text steganography when users pointed ANTHROPIC_BASE_URL at a non-official address. It rewrote the harmless-looking Today's date is... line in the system prompt—switching date separators and nearly invisible Unicode apostrophes to smuggle signals about China time zones, China-related domains, and AI lab keywords back to the server. Anthropic removed the logic in 2.1.197. The likely goal was anti-distillation and anti-resale, but the method was covert and obfuscated. A separate April 2026 incident involved Claude Desktop silently writing browser Native Messaging manifests—often conflated online, but not the same event. This article covers: Event A/B comparison table, Unicode mapping table, Hacker News debate, five self-protection steps, vendor-trust framing, and FAQ; see also our Anthropic IPO guide and AI coding assistant comparison.
Many reposts collapse two separate but related incidents into one story. English-language technical readers on HN, Reddit, and security forums can spot the factual error immediately. Before you publish or share, keep the split clear:
| Dimension | Event A: Silent browser injection | Event B: System prompt steganography |
|---|---|---|
| Product | Claude Desktop (macOS client) | Claude Code (CLI coding tool) |
| Reporter | Alexander Hanff (The Register) | Reverse engineering published on thereallo.dev, amplified via Reddit and HN |
| Timeline | April 2026 (from ~4/18 onward) | June 30, 2026 |
| Core behavior | Silently writes com.anthropic.claude_browser_extension.json, pre-authorizing three extension IDs to call out-of-sandbox chrome-native-host; creates directories even without a browser installed; deleted files may return after restart | When ANTHROPIC_BASE_URL ≠ api.anthropic.com, rewrites the Today's date is... line using steganography |
| Labels used | spyware / backdoor | prompt steganography / covert channel |
| Trigger | Installing or launching Claude Desktop | Only when a non-official Base URL is set; not guaranteed on every conversation |
| Anthropic response | No formal public response; later versions added an authorization toggle without fully removing the underlying permission model | Acknowledged the code existed; removed it in 2.1.197 on July 1 with no changelog mention |
Citable facts: Independent consultant Noah Kenney (Digital 520) confirmed Hanff’s technical claims were reproducible; Antiy Labs published a risk analysis of Claude Desktop’s high-privilege browser channel. The HN thread hit the front page within hours with 350+ points and 100+ comments, splitting the community between “reasonable anti-distillation defense” and “close to malicious for a developer tool.”
Undisclosed and deliberately obfuscated: Domain and keyword lists were lightly obfuscated with base64 plus XOR(91), roughly 147 rules, present in builds 2.1.193, 195, and 196 per reverse engineers.
Developer tools live on trust: Claude Code sells on developer confidence. Hiding classification signals inside punctuation led one HN camp to call it “malware-adjacent.”
Desktop pre-builds a high-privilege channel: Even if unused today, Event A paves an out-of-browser-sandbox path. Anthropic itself reported Claude for Chrome prompt-injection success rates of 23.6% without mitigation and 11.2% with mitigation.
Compliance and credibility risk: Treating motive as proven fact hurts trust. Use wording like “according to the report” or “alleged”; judge purpose (anti-distillation) separately from method (steganography).
Key precondition: This only triggers when you point ANTHROPIC_BASE_URL at a non-official address—a proxy, gateway, third-party reseller, or OpenAI-compatible layer. The official api.anthropic.com endpoint was left unchanged.
Once triggered, the program modifies two things inside the innocent-looking Today's date is ... system prompt line:
| Detected condition | Date format | Apostrophe character | Unicode |
|---|---|---|---|
| Default (no match) | 2026-06-30 | ' standard ASCII apostrophe | U+0027 |
| China institution / reseller domain match | 2026-06-30 | ' right single quotation mark | U+2019 |
| AI lab keyword match (deepseek, moonshot, zhipu, minimax, baichuan, stepfun, 01ai, etc.) | 2026-06-30 | ʼ modifier letter apostrophe | U+02BC |
| Both domain and lab keyword match | 2026-06-30 | ʹ modifier letter prime | U+02B9 |
| Plus China time zone (Asia/Shanghai / Asia/Urumqi) | 2026/06/30 | (apostrophe rules as above) | — |
In plain terms: The request looks like a normal English prompt, but the backend can read the date separator and apostrophe Unicode code points and infer labels such as “this user routes through an overseas proxy but runs in a China time zone and may belong to a specific Chinese AI lab.” That is a classic covert channel.
echo $ANTHROPIC_BASE_URL # If non-empty and not https://api.anthropic.com → fingerprint logic may have applied claude --version # confirm ≥ 2.1.197
The mainstream, relatively restrained reading: the goal was anti-distillation plus blocking unauthorized resale. Anthropic, OpenAI, and Google have all publicly worried about rivals pulling large API outputs to train smaller models. China-related proxies, resellers, and labs were high on the suspicion list.
“The purpose is understandable; the method is the problem.” Turning classification signals invisible to the eye and hiding them inside obfuscated code in every request crosses a trust line for a tool developers rely on daily.
| HN / community camp | Representative view | What it means for you |
|---|---|---|
| Defense camp | Reasonable anti-distillation protection for model investment | Understand the business motive, but reject covert implementation |
| Critic camp | Near-malicious for a developer tool; should be disclosed with an opt-out | Demand disclosure, auditability, and a kill switch |
| Security camp | Event A pre-builds an out-of-sandbox channel; prompt-injection risk data is real | Treat Desktop Agents like high-privilege software |
“Spyware” is an emotionally loaded label. More precise framing:
Whether or not you use the spyware word, the core issue is the same: behavior that was not clearly disclosed and was deliberately hidden.
Check Base URL: Confirm whether ANTHROPIC_BASE_URL is set. Official endpoints do not trigger Event B. Upgrade Claude Code to 2.1.197+.
Check Native Messaging (Event A): On macOS inspect ~/Library/Application Support/<browser>/NativeMessagingHosts/com.anthropic.claude_browser_extension.json and remove if needed; Claude Desktop may recreate it.
Check time zone plus proxy combinations: Reports suggest VPN plus China time zone plus a third-party API gateway increased fingerprint matches; document routing policy explicitly in production.
Enterprise / sensitive environments: Decide whether Desktop Agents belong in production paths at all. Minimum privilege, explicit consent, and audit trails are baseline. See our OpenClaw graphical authorization and isolation approach for a related pattern.
Isolation acceptance: Run Claude Code on a rented remote Mac with VNC as a separate node. Use the graphical session to verify macOS Privacy & Security settings, browser Native Messaging directories, and Keychain prompts—without contaminating your primary dev machine. End the project and stop renting or swap nodes.
for app in "Google/Chrome" "Microsoft Edge" "BraveSoftware/Brave-Browser" "Arc/User Data"; do f="$HOME/Library/Application Support/$app/NativeMessagingHosts/com.anthropic.claude_browser_extension.json" [ -f "$f" ] && echo "FOUND: $f" done
The warning is not about one apostrophe. When model capability races ahead of security boundaries, consent, and audit, vendors often cross trust lines in the name of “experience” or “abuse prevention.” The same security gaps from early PCs and smartphones are replaying on desktop AI Agents.
Default to skepticism, demand evidence: Reproducible, auditable, and disable-able behavior earns trust.
Ask for disclosure, not hiding: Anti-distillation can be done openly—with published policy and a toggle—not inside punctuation.
Minimum privilege plus boundary isolation: Treat every desktop Agent as high-privilege software.
Vote with your feet and regulation: GDPR, local privacy law, and market choice are the long-term brakes on “technology without limits.”
Technology can be neutral; companies cannot be. Greater capability demands greater self-restraint—and that should not be a secret users only discover by reversing binaries.
The Register (Claude Desktop permissions, April 2026); Malwarebytes / gHacks / YOOTA; thereallo.dev (original reverse engineering); Tech Startups / TMC Insight / Developers Digest / TechTimes (2.1.197 fix coverage); Antiy Labs risk analysis.
Not in the classic spyware sense, but according to reverse-engineering reports it once embedded undisclosed, obfuscated fingerprints in system prompts; Anthropic removed them in 2.1.197. A more accurate label is an undisclosed covert channel.
Event B only triggers in Claude Code when a non-official ANTHROPIC_BASE_URL is set. Users on the official endpoint are not affected by this logic.
According to the report, only with a non-default Base URL it checks Asia/Shanghai / Asia/Urumqi and encodes that via the date separator; the official endpoint does not alter the date line.
The apostrophe in Today's switches among U+0027, U+2019, U+02BC, and U+02B9 to encode matches for China-related domains, AI lab keywords, or both.
The mainstream reading is anti-distillation and unauthorized API resale detection—a legitimate goal implemented through an undisclosed covert mechanism.
No. April’s Hanff report covered Desktop silently writing browser Native Messaging manifests (Event A). June’s thereallo.dev disclosure covered Code prompt steganography (Event B).
Under ~/Library/Application Support/<browser>/NativeMessagingHosts/, delete com.anthropic.claude_browser_extension.json. Restarting Claude Desktop may recreate it—adjust version settings or stop using Desktop if needed.
Teams with sensitive code or auditable permission requirements benefit from renting a dedicated remote Mac with VNC to inspect Native Messaging, TCC authorization, and project directories in a graphical session, then stopping the lease when done—reducing risk that a Desktop Agent rewrites a primary machine.
The Claude steganography controversy shows that when AI Agents can modify browsers and rewrite system prompts, the hidden risks on a primary development machine—permission residue, unauditable channels, obfuscated telemetry—are badly underestimated. Claude Code runs on Windows and Linux, but Claude Desktop Native Messaging and macOS permission dialogs still need a real macOS graphical session to fully validate.
Rent a VNCMac remote Mac to install Claude Code on an isolated node, use VNC to walk through browser manifests and Privacy settings item by item, and stop renting when the project ends—far more controllable than letting high-privilege Agents run loose on your daily driver. Open Mac Mini M4 plans and the SSH-VNC connection guide to get started.