Claude Code system prompt Unicode apostrophe fingerprint and AI security audit scenario

2026 Claude Code Steganography: How Anthropic's Invisible Apostrophe Flags China-Linked Proxies

In late June 2026, according to a reverse-engineering report on thereallo.dev, developers discovered that Claude Code (not the Claude web app) uses text steganography when users point ANTHROPIC_BASE_URL at a non-official proxy — rewriting the system prompt line Today's date is... by switching date separators and nearly invisible Unicode apostrophes to smuggle bits about China timezone, matched Chinese domains, and AI-lab keywords back to the server. Anthropic removed the code in 2.1.197 (undisclosed in the changelog). It was likely an anti-distillation / anti-resale measure, but the controversy is the method: covert, obfuscated, and undisclosed — and it is often conflated with a separate Claude Desktop silent browser injection incident from April that must be kept distinct.

1. Three pain points: why developers must audit the Claude toolchain now

  1. Trust boundaries crossed silently: According to The Register and privacy consultant Alexander Hanff, Claude Desktop can write Native Messaging manifests into multiple browsers without user knowledge, pre-authorizing high-privilege out-of-sandbox channels. Independent consultant Noah Kenney (Digital 520) confirmed the technical claims are reproducible; Antiy Labs also published a dedicated risk analysis.
  2. Covert classification signals embedded in every request: Per the reverse-engineering report, steganography logic existed in Claude Code versions 2.1.193, 2.1.195, and 2.1.196; the domain list contains roughly 147 rules, lightly obfuscated with base64 + XOR(91), with keywords including deepseek, moonshot, zhipu, minimax, baichuan, stepfun, 01ai, and others.
  3. Disclosure lagged community discovery: Anthropic acknowledged the code existed and shipped 2.1.197 on July 1 to remove it, but the changelog said nothing; the Hacker News thread hit the front page within hours at 350+ points and 100+ comments, splitting the community between "legitimate anti-distillation defense" and "borderline malicious for a developer tool."

2. Don't conflate them: Event A vs Event B comparison table

English-language technical readers (HN, Reddit, security circles) care about factual precision. The table below separates two independent but related incidents — merging them damages E-E-A-T and SEO credibility.

Dimension Event A: Silent browser injection Event B: System prompt steganography
Product involved Claude Desktop (macOS client) Claude Code (CLI coding tool)
Disclosure source Alexander Hanff (privacy consultant, The Register contributor) Developer reverse-engineered the binary; published on thereallo.dev; amplified via Reddit → HN
Timing April 2026 (from ~4/18 onward) June 30, 2026
Core behavior Silently writes com.anthropic.claude_browser_extension.json into Chrome/Edge/Brave/Arc/Vivaldi/Opera/Chromium, pre-authorizing 3 extension IDs to call out-of-sandbox chrome-native-host; creates directories even when the browser is not installed; files reappear after deletion on restart When ANTHROPIC_BASE_URL ≠ api.anthropic.com, rewrites the system prompt line Today's date is... using steganography
Labels applied spyware / backdoor prompt steganography / covert channel
Trigger condition Installing or launching Claude Desktop Only when a non-official Base URL (proxy) is configured; not every conversation necessarily triggers
Anthropic response No formal public response; later versions added a consent toggle, but the underlying permission model was not fully removed Acknowledged the code existed; shipped 2.1.197 on 7/1 to remove it; changelog did not mention it

3. Timeline and key version numbers

Date Milestone
2026-04 Alexander Hanff discloses Claude Desktop Native Messaging silent injection in The Register; Malwarebytes, gHacks, YOOTA, and others follow up
2026-06-30 thereallo.dev publishes Claude Code prompt steganography reverse-engineering report; HN thread rapidly hits front page
2.1.193–2.1.196 Reverse engineers verified steganography logic in all three versions
2026-07-01 Anthropic releases Claude Code 2.1.197 removing the related code (not publicly documented in changelog)

4. How the steganography works: Unicode mapping table in plain English

Key precondition (per the reverse-engineering report): this triggers only when you point ANTHROPIC_BASE_URL at a non-official address — a proxy, gateway, third-party reseller, or OpenAI-compatible layer. The official api.anthropic.com endpoint is untouched.

Once triggered, the program does two things, both hidden inside the innocuous system prompt sentence Today's date is ...:

  1. Change the date separator: If the system timezone is Asia/Shanghai or Asia/Urumqi, 2026-06-30 becomes 2026/06/30.
  2. Swap the apostrophe: Replace the apostrophe in Today's with a visually identical but Unicode-distinct character, encoding what matched:
Detected condition Date format Apostrophe character Unicode
Default (no match) 2026-06-30 ' standard ASCII apostrophe U+0027
China institution/reseller domain matched 2026-06-30 ' right single quotation mark U+2019
China AI lab keyword matched 2026-06-30 ʼ modifier letter apostrophe U+02BC
Both domain and lab matched 2026-06-30 ʹ modifier letter prime U+02B9
Plus China timezone 2026/06/30 (apostrophe rules as above)

In plain terms: your request looks like an ordinary English prompt, but the backend can scan the date separator and the apostrophe's Unicode code point to silently label you — "this user routes through an overseas VPN but sits in a China timezone, and may be tied to a specific Chinese AI lab." That is a textbook covert channel. The domain and keyword list is obfuscated with base64 + XOR(91), roughly 147 rules in total.

5. Why Anthropic did this: anti-distillation and the HN split

The prevailing community view (and a restrained one): the goal was anti-distillation plus unauthorized resale detection. Anthropic, OpenAI, and Google have all publicly warned that competitors may pull massive API outputs to train smaller models. China-linked proxies, resellers, and labs were prime suspects, so this "labeling" logic was added.

The goal is understandable; the method is the problem: embedding classification signals invisibly, with obfuscated code, inside every request crosses a trust line for a developer tool that lives on trust. On HN, two camps fought hard:

  • Defense camp: "This is legitimate anti-distillation defense; API abuse must be stopped with technical means."
  • Critic camp: "For a developer tool this is borderline malicious — undisclosed, non-disableable, hidden in punctuation."

The mainstream read: Anthropic aimed to detect unauthorized resale and model distillation, not to surveil individuals; the dispute is over means (covert, obfuscated, undisclosed), not purpose. Throughout this article we use "according to reports / reverse-engineering / alleged" language and do not treat intent as proven fact.

6. Is it spyware? Precise labels from each camp

"Spyware" is an emotionally loaded label. More precise framing:

  • Event A is closer to "unauthorized modification of third-party software plus a dormant attack surface" — even if not actively exploited today, it pre-wires a high-privilege out-of-browser channel. Combined with Anthropic's own disclosed Claude for Chrome prompt-injection success rates (23.6% without mitigations, 11.2% with mitigations), the risk is real.
  • Event B is closer to "undisclosed covert telemetry / user classification" — not traditional malware that steals files or keystrokes, but a textbook covert channel.

Whether or not you use the word spyware, the core issue is the same: without user knowledge, consent, and transparency — and deliberately hidden.

7. Decision matrix: risk levels and scenarios

User scenario Event A risk Event B risk Recommended action
Official api.anthropic.com only Medium (Desktop may still inject) None Audit Desktop Native Messaging; upgrade Code normally
Third-party proxy/gateway Medium High (2.1.196 and below) Upgrade to 2.1.197+ immediately; assess proxy compliance
China timezone + proxy Medium High (date + separator dual signal) Assume historical requests were classified; migrate to auditable environment
Enterprise CI/CD with Claude Code High High Isolate nodes, least privilege, ban Desktop Agent on same runners

8. Five-step self-audit and protection checklist

  1. Check ANTHROPIC_BASE_URL: Run echo $ANTHROPIC_BASE_URL in your terminal. If empty or pointing to api.anthropic.com, Event B does not trigger; if it points to a proxy, you are in the high-risk classification group.
  2. Upgrade Claude Code to 2.1.197+: Anthropic released this version on July 1, 2026 to remove steganography code. Run claude --version to confirm.
  3. Scan Native Messaging manifests (Event A): On macOS, run:
    find ~/Library/Application\ Support -name "com.anthropic.claude_browser_extension.json" 2>/dev/null
    Common paths: ~/Library/Application Support/Google/Chrome/NativeMessagingHosts/ and equivalent directories for other Chromium browsers. Note that Claude Desktop may recreate files after deletion on restart.
  4. Verify timezone and proxy domain: Run systemsetup -gettimezone (macOS) to check for Asia/Shanghai or Asia/Urumqi; compare your proxy domain against the ~147 rules in the reverse-engineering report.
  5. Isolate in enterprise/sensitive environments: Run Claude Code on dedicated nodes separated from build secrets and production repos; forbid Desktop Agent sharing the same user context as CI runners; require explicit consent and auditable logs.

9. When AI vendors overreach: how to respond

The real warning is not "one apostrophe" — it is that as model capability races ahead while security boundaries, consent, and audit lag, vendors can easily cross trust lines between users and other software makers in the name of "experience" or "abuse prevention." History repeats: the security pitfalls of PCs and smartphones are replaying on desktop AI agents.

Practical responses for users and practitioners:

  1. Default to skepticism; demand evidence: Reproducible, auditable, and disableable behavior earns trust.
  2. Demand disclosure, not hiding: Vendors can do anti-distillation openly — explain it, offer a toggle — instead of hiding signals in punctuation.
  3. Least privilege plus boundary isolation: Treat every desktop agent as a high-privilege program.
  4. Vote with your feet and enforce with policy: Regulation (GDPR, privacy law) and market choice are the ultimate constraints on "technology without limits."

Technology can be neutral; companies cannot. Greater capability demands greater self-restraint — that should not be a secret users discover by reverse-engineering a binary.

10. Frequently asked questions

Q: Is Claude Code spyware?
Not in the traditional sense, but per the reverse-engineering report it hid undisclosed, obfuscated fingerprints in the system prompt; Anthropic removed them in 2.1.197. A more accurate label is "undisclosed covert channel."

Q: Does Claude Code detect timezone?
Per the report, only when ANTHROPIC_BASE_URL is non-official — it checks Asia/Shanghai or Asia/Urumqi and changes the date separator from - to /.

Q: What exactly is the apostrophe Unicode trick?
The apostrophe in Today's switches among U+0027, U+2019, U+02BC, and U+02B9, encoding domain match, lab keyword match, both, or default.

Q: Why did Anthropic add this?
The prevailing view is model-distillation and unauthorized API-resale detection — a legitimate goal implemented through concealed means.

Q: Is this the same as the Claude Desktop spyware incident?
No. Desktop silent injection is independent Event A from April 2026; Code steganography is Event B from June 30.

Q: Are regular Claude web users affected?
Event B triggers only in Claude Code with a non-official Base URL; official-endpoint users are unaffected.

Q: How do I remove Desktop-injected browser files?
Delete com.anthropic.claude_browser_extension.json from NativeMessagingHosts directories; Desktop restart may recreate them.

Q: Should I still trust Anthropic?
That depends on your risk tolerance and compliance requirements. Base decisions on reproducible evidence, not brand loyalty; enterprises should audit independently.

11. Sources and compliance note

  • The Register: Claude Desktop changes software permissions without consent (2026-04)
  • Malwarebytes / gHacks / YOOTA: Claude Desktop native messaging coverage
  • thereallo.dev: Claude Code prompt steganography (original reverse engineering)
  • Tech Startups / TMC Insight / Developers Digest / TechTimes: Event B coverage and Anthropic 2.1.197 fix
  • Antiy Labs: Claude Desktop high-privilege browser channel risk analysis
  • Hacker News discussion thread (350+ points, around 2026-06-30)

This article is compiled from public reporting and reverse-engineering reports; motive (anti-distillation) and method (steganography) are evaluated separately. Statements about Anthropic's intent are labeled "per community analysis / reverse-engineering reports" and do not constitute legal conclusions. Last updated: 2026-07-03.

12. Remote Mac and SFTPMAC decision bridge

The permission problems with Claude Code and Claude Desktop boil down to one question: where does a high-privilege agent run, and what data shares its user context? Running Claude Code on a laptop or a machine that also hosts CI means build keys, SSH keys, and production repos sit under the same user — and if Native Messaging injection or covert classification hits, the blast radius is uncontrollable.

A safer path: isolate Claude Code and related agent workflows on a dedicated always-on macOS node, physically separated from daily browsing, browser profiles, and the Desktop client; sync workspaces and config snapshots via SFTP/rsync for rollback and audit. This aligns with the "24/7 remote Mac agent node" guidance in our AI coding assistant comparison and Claude Fable 5 export-control alternatives guides.

If you are evaluating Claude toolchain trust boundaries, the next step is usually: decouple the agent from sensitive assets onto an isolatable, auditable Apple Silicon remote node. SFTPMAC remote Mac rental provides always-on environments for Claude Code / OpenClaw: native launchd supervision, SSH/SFTP directory isolation, and an ops baseline that connects to CI/CD artifact sync — better suited than a home Mac doubling as agent plus daily browser for teams that need least privilege and compliance trails.