AI Security & Privacy July 3, 2026 22 min read Claude Code Steganography

Claude Code Hidden Fingerprints
How Anthropic Tagged Proxy Users With One Apostrophe

Silent browser injection vs prompt Unicode fingerprints · Event A/B fact check · Anti-distillation motive · Self-audit checklist

Diagram of Claude Code system prompt Unicode apostrophe covert fingerprinting

TL;DR: In late June 2026, according to a reverse-engineering report on thereallo.dev, Claude Code (not the web app) used text steganography when users pointed ANTHROPIC_BASE_URL at a non-official address. It rewrote the harmless-looking Today's date is... line in the system prompt—switching date separators and nearly invisible Unicode apostrophes to smuggle signals about China time zones, China-related domains, and AI lab keywords back to the server. Anthropic removed the logic in 2.1.197. The likely goal was anti-distillation and anti-resale, but the method was covert and obfuscated. A separate April 2026 incident involved Claude Desktop silently writing browser Native Messaging manifests—often conflated online, but not the same event. This article covers: Event A/B comparison table, Unicode mapping table, Hacker News debate, five self-protection steps, vendor-trust framing, and FAQ; see also our Anthropic IPO guide and AI coding assistant comparison.

01

Two incidents, do not merge them: Event A vs Event B

Many reposts collapse two separate but related incidents into one story. English-language technical readers on HN, Reddit, and security forums can spot the factual error immediately. Before you publish or share, keep the split clear:

DimensionEvent A: Silent browser injectionEvent B: System prompt steganography
ProductClaude Desktop (macOS client)Claude Code (CLI coding tool)
ReporterAlexander Hanff (The Register)Reverse engineering published on thereallo.dev, amplified via Reddit and HN
TimelineApril 2026 (from ~4/18 onward)June 30, 2026
Core behaviorSilently writes com.anthropic.claude_browser_extension.json, pre-authorizing three extension IDs to call out-of-sandbox chrome-native-host; creates directories even without a browser installed; deleted files may return after restartWhen ANTHROPIC_BASE_URL ≠ api.anthropic.com, rewrites the Today's date is... line using steganography
Labels usedspyware / backdoorprompt steganography / covert channel
TriggerInstalling or launching Claude DesktopOnly when a non-official Base URL is set; not guaranteed on every conversation
Anthropic responseNo formal public response; later versions added an authorization toggle without fully removing the underlying permission modelAcknowledged the code existed; removed it in 2.1.197 on July 1 with no changelog mention

Citable facts: Independent consultant Noah Kenney (Digital 520) confirmed Hanff’s technical claims were reproducible; Antiy Labs published a risk analysis of Claude Desktop’s high-privilege browser channel. The HN thread hit the front page within hours with 350+ points and 100+ comments, splitting the community between “reasonable anti-distillation defense” and “close to malicious for a developer tool.”

Pain points: why developers feel betrayed

  1. 01

    Undisclosed and deliberately obfuscated: Domain and keyword lists were lightly obfuscated with base64 plus XOR(91), roughly 147 rules, present in builds 2.1.193, 195, and 196 per reverse engineers.

  2. 02

    Developer tools live on trust: Claude Code sells on developer confidence. Hiding classification signals inside punctuation led one HN camp to call it “malware-adjacent.”

  3. 03

    Desktop pre-builds a high-privilege channel: Even if unused today, Event A paves an out-of-browser-sandbox path. Anthropic itself reported Claude for Chrome prompt-injection success rates of 23.6% without mitigation and 11.2% with mitigation.

  4. 04

    Compliance and credibility risk: Treating motive as proven fact hurts trust. Use wording like “according to the report” or “alleged”; judge purpose (anti-distillation) separately from method (steganography).

02

How the steganography works: Unicode mapping table

Key precondition: This only triggers when you point ANTHROPIC_BASE_URL at a non-official address—a proxy, gateway, third-party reseller, or OpenAI-compatible layer. The official api.anthropic.com endpoint was left unchanged.

Once triggered, the program modifies two things inside the innocent-looking Today's date is ... system prompt line:

Detected conditionDate formatApostrophe characterUnicode
Default (no match)2026-06-30' standard ASCII apostropheU+0027
China institution / reseller domain match2026-06-30' right single quotation markU+2019
AI lab keyword match (deepseek, moonshot, zhipu, minimax, baichuan, stepfun, 01ai, etc.)2026-06-30ʼ modifier letter apostropheU+02BC
Both domain and lab keyword match2026-06-30ʹ modifier letter primeU+02B9
Plus China time zone (Asia/Shanghai / Asia/Urumqi)2026/06/30(apostrophe rules as above)

In plain terms: The request looks like a normal English prompt, but the backend can read the date separator and apostrophe Unicode code points and infer labels such as “this user routes through an overseas proxy but runs in a China time zone and may belong to a specific Chinese AI lab.” That is a classic covert channel.

Check environment variables (Event B trigger)
echo $ANTHROPIC_BASE_URL
# If non-empty and not https://api.anthropic.com → fingerprint logic may have applied
claude --version  # confirm ≥ 2.1.197
03

Why did Anthropic do this? Motive and controversy

The mainstream, relatively restrained reading: the goal was anti-distillation plus blocking unauthorized resale. Anthropic, OpenAI, and Google have all publicly worried about rivals pulling large API outputs to train smaller models. China-related proxies, resellers, and labs were high on the suspicion list.

“The purpose is understandable; the method is the problem.” Turning classification signals invisible to the eye and hiding them inside obfuscated code in every request crosses a trust line for a tool developers rely on daily.

HN / community campRepresentative viewWhat it means for you
Defense campReasonable anti-distillation protection for model investmentUnderstand the business motive, but reject covert implementation
Critic campNear-malicious for a developer tool; should be disclosed with an opt-outDemand disclosure, auditability, and a kill switch
Security campEvent A pre-builds an out-of-sandbox channel; prompt-injection risk data is realTreat Desktop Agents like high-privilege software
04

Does this count as spyware?

“Spyware” is an emotionally loaded label. More precise framing:

  • Event A is closer to “unauthorized modification of third-party software plus a dormant high-privilege attack surface”—even if not exploited yet, it pre-wires a browser channel outside the sandbox.
  • Event B is closer to “undisclosed covert telemetry / user classification.”

Whether or not you use the spyware word, the core issue is the same: behavior that was not clearly disclosed and was deliberately hidden.

05

Self-audit and protection: five practical steps

  1. 01

    Check Base URL: Confirm whether ANTHROPIC_BASE_URL is set. Official endpoints do not trigger Event B. Upgrade Claude Code to 2.1.197+.

  2. 02

    Check Native Messaging (Event A): On macOS inspect ~/Library/Application Support/<browser>/NativeMessagingHosts/com.anthropic.claude_browser_extension.json and remove if needed; Claude Desktop may recreate it.

  3. 03

    Check time zone plus proxy combinations: Reports suggest VPN plus China time zone plus a third-party API gateway increased fingerprint matches; document routing policy explicitly in production.

  4. 04

    Enterprise / sensitive environments: Decide whether Desktop Agents belong in production paths at all. Minimum privilege, explicit consent, and audit trails are baseline. See our OpenClaw graphical authorization and isolation approach for a related pattern.

  5. 05

    Isolation acceptance: Run Claude Code on a rented remote Mac with VNC as a separate node. Use the graphical session to verify macOS Privacy & Security settings, browser Native Messaging directories, and Keychain prompts—without contaminating your primary dev machine. End the project and stop renting or swap nodes.

macOS: list Native Messaging manifests per browser
for app in "Google/Chrome" "Microsoft Edge" "BraveSoftware/Brave-Browser" "Arc/User Data"; do
  f="$HOME/Library/Application Support/$app/NativeMessagingHosts/com.anthropic.claude_browser_extension.json"
  [ -f "$f" ] && echo "FOUND: $f"
done
06

When AI vendors cross the line: how to respond

The warning is not about one apostrophe. When model capability races ahead of security boundaries, consent, and audit, vendors often cross trust lines in the name of “experience” or “abuse prevention.” The same security gaps from early PCs and smartphones are replaying on desktop AI Agents.

  1. 01

    Default to skepticism, demand evidence: Reproducible, auditable, and disable-able behavior earns trust.

  2. 02

    Ask for disclosure, not hiding: Anti-distillation can be done openly—with published policy and a toggle—not inside punctuation.

  3. 03

    Minimum privilege plus boundary isolation: Treat every desktop Agent as high-privilege software.

  4. 04

    Vote with your feet and regulation: GDPR, local privacy law, and market choice are the long-term brakes on “technology without limits.”

Technology can be neutral; companies cannot be. Greater capability demands greater self-restraint—and that should not be a secret users only discover by reversing binaries.

Sources

The Register (Claude Desktop permissions, April 2026); Malwarebytes / gHacks / YOOTA; thereallo.dev (original reverse engineering); Tech Startups / TMC Insight / Developers Digest / TechTimes (2.1.197 fix coverage); Antiy Labs risk analysis.

FAQ

Frequently asked questions

Not in the classic spyware sense, but according to reverse-engineering reports it once embedded undisclosed, obfuscated fingerprints in system prompts; Anthropic removed them in 2.1.197. A more accurate label is an undisclosed covert channel.

Event B only triggers in Claude Code when a non-official ANTHROPIC_BASE_URL is set. Users on the official endpoint are not affected by this logic.

According to the report, only with a non-default Base URL it checks Asia/Shanghai / Asia/Urumqi and encodes that via the date separator; the official endpoint does not alter the date line.

The apostrophe in Today's switches among U+0027, U+2019, U+02BC, and U+02B9 to encode matches for China-related domains, AI lab keywords, or both.

The mainstream reading is anti-distillation and unauthorized API resale detection—a legitimate goal implemented through an undisclosed covert mechanism.

No. April’s Hanff report covered Desktop silently writing browser Native Messaging manifests (Event A). June’s thereallo.dev disclosure covered Code prompt steganography (Event B).

Under ~/Library/Application Support/<browser>/NativeMessagingHosts/, delete com.anthropic.claude_browser_extension.json. Restarting Claude Desktop may recreate it—adjust version settings or stop using Desktop if needed.

Teams with sensitive code or auditable permission requirements benefit from renting a dedicated remote Mac with VNC to inspect Native Messaging, TCC authorization, and project directories in a graphical session, then stopping the lease when done—reducing risk that a Desktop Agent rewrites a primary machine.

Conclusion

The Claude steganography controversy shows that when AI Agents can modify browsers and rewrite system prompts, the hidden risks on a primary development machine—permission residue, unauditable channels, obfuscated telemetry—are badly underestimated. Claude Code runs on Windows and Linux, but Claude Desktop Native Messaging and macOS permission dialogs still need a real macOS graphical session to fully validate.

Rent a VNCMac remote Mac to install Claude Code on an isolated node, use VNC to walk through browser manifests and Privacy settings item by item, and stop renting when the project ends—far more controllable than letting high-privilege Agents run loose on your daily driver. Open Mac Mini M4 plans and the SSH-VNC connection guide to get started.