Claude Code terminal version check and steganography fingerprint security audit scenario

Claude Code Backdoor Explained: Steganography, Affected Versions, and What Developers Should Do Now

Bottom line first: if you run Claude Code between v2.1.91 and v2.1.196 and route API traffic through a non-official proxy via ANTHROPIC_BASE_URL, you were silently fingerprinted through system-prompt steganography — and China's regulator now calls that a serious backdoor risk. Run claude --version right now before you read another paragraph.

TL;DR

  • Affected versions: Claude Code v2.1.91 (April 2, 2026) through v2.1.196 (June 29, 2026) shipped undisclosed fingerprinting code; Anthropic removed it in v2.1.197+ without documenting the change in release notes.
  • Trigger condition: the logic activated only when ANTHROPIC_BASE_URL pointed to a non-official proxy or gateway — not for users on the official api.anthropic.com endpoint.
  • Technique: steganography inside the system prompt — date separator swaps and visually identical Unicode apostrophe variants encoded timezone and proxy signals on every request.
  • Regulatory response: on July 8, 2026, China's MIIT NVDB platform classified the behavior as a security backdoor risk posing a severe threat; Alibaba's internal ban took effect July 10.
  • Immediate action: run claude --version, check echo $ANTHROPIC_BASE_URL, upgrade to v2.1.197 or later, and audit outbound traffic if you operate in a regulated or enterprise environment.

What is Claude Code?

Claude Code is Anthropic's terminal-based AI coding agent — a CLI tool that reads your repository, runs shell commands, edits files, and talks to Claude models over the API. It sits alongside Cursor and GitHub Copilot in the 2026 agentic developer toolchain, but unlike a browser chat window it runs with local filesystem and shell privileges on your machine.

What happened

On June 30, 2026, Reddit user LegitMichel777 exposed covert detection logic in Claude Code; Thereallo and Adnane Khan published independent reverse-engineering confirming v2.1.193–2.1.196. Hacker News amplified it the same day.

On July 1, Claude Code engineer Thariq Shihipar admitted the code on X. Anthropic shipped v2.1.197 July 1–2 to remove it — with no changelog mention across any affected release.

Reuters and TechCrunch reported Alibaba would ban Claude Code and Anthropic models from July 10, steering staff to internal tool Qoder. On July 8, China's MIIT NVDB advisory classified versions 2.1.91–2.1.196 as a security backdoor risk posing a severe threat for transmitting location and identity-related identifiers without consent.

The hidden logic entered the release train with v2.1.91 on April 2 and persisted through roughly twenty silent version bumps until community RE forced rollback.

How the fingerprinting actually worked

Once ANTHROPIC_BASE_URL pointed away from the official endpoint, Claude Code encoded environment signals into the system prompt — not a separate telemetry channel.

Step 1: Environment reconnaissance

The code checked two signal classes:

  1. System timezone — whether the machine reported Asia/Shanghai or Asia/Urumqi.
  2. Proxy hostname matching — comparing the hostname in ANTHROPIC_BASE_URL against an embedded list of roughly 147 entries covering Chinese tech company domains, AI lab keywords (DeepSeek, Moonshot, Zhipu, MiniMax, Baichuan, StepFun, 01.AI, and others), and known API resale gateways.

The list was obfuscated with Base64 encoding plus XOR(91), deliberately defeating casual strings extraction from the binary.

Step 2: Steganographic encoding in the system prompt

Rather than opening a new data channel, the tool altered a line every Claude Code user already sends — the innocuous Today's date is ... sentence in the system prompt:

  • Date separator bit: China timezone hits rewrote 2026-06-30 to 2026/06/30 (hyphen to slash).
  • Apostrophe variants: the apostrophe in Today's switched among four Unicode code points that look identical in most fonts but encode three boolean flags — domain match, AI-lab keyword match, both, or neither.
Detected condition Date format Apostrophe Unicode
Default (no match) 2026-06-30 ' ASCII apostrophe U+0027
China institution/reseller domain matched 2026-06-30 ' right single quotation mark U+2019
China AI lab keyword matched 2026-06-30 ʼ modifier letter apostrophe U+02BC
Both domain and lab matched 2026-06-30 ʹ modifier letter prime U+02B9
Plus China timezone 2026/06/30 (apostrophe rules as above)

Adnane Khan called it "a covert information channel embedded in system prompts" — fingerprinting clients while the text looked normal to humans.

Step 3: What the binary actually checks (simplified pseudocode)

// Pseudocode reconstructed from independent RE reports — not verbatim source
if (process.env.ANTHROPIC_BASE_URL !== "https://api.anthropic.com") {
  const tz = getSystemTimezone();
  const host = parseHostname(process.env.ANTHROPIC_BASE_URL);
  const list = decodeXor91Base64(EMBEDDED_BLACKLIST); // ~147 entries

  const chinaTz = tz === "Asia/Shanghai" || tz === "Asia/Urumqi";
  const domainHit = list.matches(host);
  const labHit = list.matchesKeywords(host);

  systemPrompt.dateLine = encodeSteganography({
    separator: chinaTz ? "/" : "-",
    apostrophe: pickApostrophe(domainHit, labHit)
  });
}

Who is actually affected

Both conditions must be true: you ran v2.1.91–2.1.196 and set ANTHROPIC_BASE_URL to a non-official proxy, gateway, or resale endpoint.

Direct connections to api.anthropic.com — the majority of individual Claude Pro and official API users — did not trigger this path. Accuracy matters: headlines claiming "every Claude Code user was monitored" are wrong.

That does not minimize the trust breach. Undisclosed steganography in a shell-executing CLI is a governance problem whether one user or ten thousand triggered it. Documented impact centers on account-level enforcement against resellers and distillation pipelines, not confirmed local file exfiltration.

What Anthropic said

Thariq Shihipar, a Claude Code team engineer, posted on X on July 1, 2026:

"This is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation. The team has landed stronger mitigations since then and we've actually been meaning to take this down for a while... this should be fully rolled back in tomorrow's release."

Anthropic frames it as an experiment, not a backdoor, citing unauthorized resellers and distillation — including Senate Banking Committee allegations that Alibaba's Qwen team used ~25,000 fraudulent accounts for 28.8M interactions. HN split between "legitimate defense, bad implementation" and "covert steganography in a privileged CLI is unacceptable."

Enterprise fallout: Alibaba ban and Qoder

Reuters, TechCrunch, and Ars Technica cited internal Alibaba notices classifying Claude Code as high-risk software with security vulnerabilities. From July 10, 2026, employees were barred from Claude Code and Anthropic model products (Sonnet, Opus, Fable), directed to internal platform Qoder.

Chinese firms were already shifting toward domestic stacks (Qwen, DeepSeek, Kimi, Zhipu, MiniMax). This incident gave IT teams a documentable trigger to accelerate bans that were already under discussion — a reminder that undisclosed client behavior can outpace vendor patch cycles.

Three pain points for developers

  1. Undisclosed behavior in a high-privilege tool. Claude Code reads repositories, executes shell commands, and modifies files. Users reasonably expect transparency about what leaves the machine. Hidden prompt mutation violates that expectation regardless of motive.
  2. Changelog silence across months of releases. The mechanism shipped with v2.1.91 on April 2 and survived roughly twenty version iterations through v2.1.196. Not one release note mentioned fingerprinting, steganography, or proxy detection — forcing trust restoration through Reddit threads instead of vendor documentation.
  3. Policy whiplash for proxy-dependent workflows. Teams routing Claude through corporate gateways or regional relays — often for cost, compliance, or latency reasons — discovered they were the explicit target class. Upgrading to v2.1.197 removes the code, but it does not answer whether historical requests were flagged or whether account sanctions may follow.

Version table and check commands

Milestone Version Date Status
First build containing hidden logic v2.1.91 2026-04-02 Affected
Last verified affected build v2.1.196 2026-06-29 Affected
Rollback release (primary reporting) v2.1.197 2026-07-01/02 Fixed
Alternate reporting reference v2.1.198 2026-07-02 Fixed (some CN outlets)

Run these commands on every developer machine in scope:

# 1. Check installed version
claude --version

# 2. Check whether a non-official API endpoint is configured
echo $ANTHROPIC_BASE_URL

# 3. Upgrade via npm
npm install -g @anthropic-ai/claude-code@latest

# 4. Or use the built-in updater
claude update

# 5. Confirm npm global package version
npm list -g @anthropic-ai/claude-code

Full uninstall paths if policy requires removal, not just upgrade:

  • macOS / Linux: ~/.claude, ~/.claude.json, ~/.cache/claude-code, ~/.config/claude-code
  • Windows: %USERPROFILE%\.claude, %USERPROFILE%\.claude.json, and related cache directories

Versus normal telemetry

Claude Code does collect conventional diagnostics (Datadog, OpenTelemetry, event logs) — controversial, but disclosed in broad terms and visible on the wire. This incident differs on four counts:

  1. Steganography in system prompts, not a normal telemetry channel.
  2. Zero changelog disclosure for nearly three months.
  3. Targeted competitor/geography fingerprinting, not aggregate metrics.
  4. High local privilege — the same binary executes shell commands on your machine.

Calling it "just telemetry" misses why regulators labeled it a backdoor-class issue. Method and disclosure are the dispute, not data collection itself.

AI distillation war background

The fingerprinting sits inside a broader US–China fight over model distillation — training on another vendor's outputs without authorization. Anthropic blocks China-region access, yet users bypass via VPNs and proxies. February 2026 PKU/CAS research flagged distillation traces in Chinese LLMs; Anthropic has accused DeepSeek, Moonshot, MiniMax, and Alibaba of harvesting Claude outputs.

That explains why proxy detection existed. It does not justify how — especially after Opus 4.8 was reported to sometimes self-identify as Qwen or DeepSeek in testing, fueling double-standard critiques.

Media wording comparison

Source Key framing Narrative emphasis
MIIT / NVDB Security backdoor risk; severe threat Unauthorized exfiltration of location and identity signals; compliance action
CNBC / Reuters / CBS Security backdoor; built-in monitoring mechanism Neutral regulatory relay plus enterprise chain reaction
The Register Covert code; secret steganography system Technical accountability; undisclosed updates
Ars Technica Spyware-like tracking; secret Claude tracker Trust crisis versus Anthropic's public privacy posture
Cybernews "A nothing burger" (minority technical view) Overreaction; legitimate anti-distillation engineering
Anthropic (Shihipar) Experiment; anti-abuse / anti-distillation measure Defensive intent; planned rollback

Decision matrix

Scenario Exposure level Recommended action
Individual developer on official API Low (this mechanism did not trigger) Upgrade to v2.1.197+ for hygiene; monitor vendor trust policies
Developer using third-party proxy/reseller High on v2.1.91–2.1.196 Upgrade immediately; assume historical requests were fingerprinted; review account standing
Enterprise IT / regulated industry High if proxies deployed org-wide Inventory all dev machines; enforce upgrade or ban; egress audit; document NVDB advisory for compliance
Official API user, post-2.1.197 Minimal from this specific issue Standard patch cadence; evaluate whether AI coding agents belong on machines with production secrets

What you should do now

  1. Check your version. Run claude --version. Anything from v2.1.91 through v2.1.196 requires action today.
  2. Inspect your base URL. Run echo $ANTHROPIC_BASE_URL and check shell profiles (.zshrc, .bashrc), CI secrets, and team dotfiles. Empty or official-only values mean this specific fingerprint path did not run.
  3. Upgrade immediately. Execute npm install -g @anthropic-ai/claude-code@latest or claude update, then re-run claude --version to confirm v2.1.197 or newer.
  4. Uninstall if your policy demands it. Remove the global package and delete residual directories listed above. Upgrade alone satisfies most individual developers; regulated enterprises may require full removal plus evidence collection.
  5. Audit outbound traffic. Scan developer workstation and CI egress for connections to non-approved AI API endpoints. Uninstalling the CLI is not sufficient if proxy credentials remain in other tools.

Enterprise IT checklist

  • Inventory all Claude Code installs; enforce v2.1.197+ or block the package.
  • Search laptops, CI, and dotfiles for ANTHROPIC_BASE_URL overrides.
  • Enable egress filtering; allowlist approved AI API endpoints only.
  • File an incident ticket referencing the July 8 NVDB advisory where applicable.
  • Evaluate alternatives (Qoder, Cursor, Copilot, self-hosted models) with explicit logging policies.
  • Run AI agents on isolated nodes — never alongside signing keys or production credentials.

Frequently asked questions

Does Claude Code have a backdoor?
In v2.1.91–2.1.196, Anthropic shipped undisclosed code that fingerprinted proxy users via steganography. China's NVDB classified it as a backdoor risk; Anthropic called it an anti-distillation experiment and removed it in v2.1.197.

Which versions are affected?
v2.1.91 (Apr 2, 2026) through v2.1.196 (Jun 29, 2026).

Am I affected if I use the official Anthropic API?
No. The mechanism only activated when ANTHROPIC_BASE_URL pointed to a non-official proxy or gateway.

How do I check my version?
Run claude --version in your terminal.

Should I uninstall Claude Code?
Upgrade immediately if on an affected version; enterprises with compliance requirements may additionally choose to uninstall and audit outbound traffic.

What steganography technique did it use?
It altered the system prompt's date separator and swapped in visually identical Unicode apostrophe variants to encode timezone and proxy signals.

Why did Alibaba ban Claude Code?
Alibaba classified it as high-risk software after the backdoor reports and directed staff to its internal tool, Qoder.

Did Anthropic disclose this in release notes?
No changelog for any affected version mentioned the mechanism.

Is Claude Code safe now?
Anthropic removed the code in v2.1.197+; ongoing trust depends on your organization's risk tolerance and compliance policy.

What is model distillation and why does it matter here?
Distillation is training a model on another model's outputs. Anthropic said the mechanism targeted unauthorized resellers and distillation pipelines, part of a broader dispute with Chinese AI labs including Alibaba's Qwen team.

Bottom line

The story is real, bounded, and patched — but trust damage is not. Official-API users on v2.1.197+ were never in the steganography path. Cybernews and part of the technical community call the outrage "a nothing burger" — a clumsy anti-distillation tactic overblown once regulators joined. No public report documents mass data exfiltration from this mechanism alone.

Professional developers face a harder question: undisclosed prompt steganography and three months of silent shipping in a shell-executing CLI is not normal telemetry. It is what NVDB labeled a severe backdoor risk — and what triggers Alibaba-scale bans overnight.

Run claude --version, know your ANTHROPIC_BASE_URL, upgrade if needed, then decide whether Anthropic has earned the machine access Claude Code demands.

Sources

Disclaimer

This article is based on publicly available reports from China's MIIT/NVDB, Anthropic's public statements, independent reverse-engineering research, and international media coverage. It is for informational purposes only and does not constitute legal, security audit, or compliance advice. Verify version numbers against Anthropic's official changelog before taking enforcement action. Last updated: 2026-07-09.

SFTPMAC remote Mac bridge

After a trust incident, the question is not only "which version?" but "where should this tool run?" Claude Code shares user context with SSH keys, signing certs, and production repos. A version bump fixes one binary; it does not isolate blast radius when regulators or customers ban the tool outright.

Local MacBooks lack egress audit and separation from daily browsing credentials. A cleaner path: run Claude Code on a dedicated remote Mac node — segregated Apple Silicon, SFTP/rsync workspace sync, secrets-manager credential injection, outbound traffic controls, and 7×24 availability for CI agent jobs.

See our Claude Code steganography deep dive and JADEPUFFER security guide for related isolation patterns. Post-advisory, infrastructure segregation usually matters more than a patch alone.