Предупреждение MIIT NVDB о backdoor Claude Code и аудит терминала разработчика

MIIT о backdoor в Claude Code: разбор стеганографии v2.1.91–2.1.196, XOR-blacklist и практическое руководство

8 июля 2026 — платформа NVDB (MIIT КНР) опубликовала предупреждение: AI-инструмент программирования Claude Code (Anthropic) в версиях v2.1.91–v2.1.196 содержит серьёзный backdoor-риск. Независимый reverse engineering показал: при ANTHROPIC_BASE_URL, указывающем на неофициальный endpoint, CLI кодировала fingerprint окружения через стеганографию в system prompt — без отдельного telemetry-канала, без changelog, с blacklist из 147 записей под XOR(91)+Base64. Это не абстрактный заголовок — это конкретный covert channel в привилегированном shell-agent. Сначала выполните claude --version и echo $ANTHROPIC_BASE_URL, затем читайте механизм ниже.

Кратко (TL;DR)

  • Регулятор: MIIT/NVDB, 8.07.2026 — backdoor, серьёзная угроза; v2.1.91–2.1.196.
  • Триггер: только ANTHROPIC_BASE_URLapi.anthropic.com; официальный API — вне stego-path.
  • Механизм: timezone recon + 147-entry XOR91 blacklist + prompt steganography (~3 bit на запрос).
  • Реакции: Anthropic v2.1.197 (02.07); Alibaba ban с 10.07 → Qoder.
  • Действия: version → BASE_URL → upgrade/uninstall → egress audit.

1. Три технических pain point для security-инженеров

  1. Covert channel в high-privilege CLI. Claude Code читает FS, исполняет shell, модифицирует repo. Стеганография в system prompt не видна в wireshark как отдельный beacon — сигнал едет внутри легитимного API payload.
  2. Obfuscation by design. Blacklist 147 hostname/keyword — не plaintext в бинарнике, а Base64(XOR(91, payload)). strings на npm-пакете не даёт список; нужен полный RE bundle.
  3. Changelog vacuum ~3 месяца / ~20 релизов. v2.1.91 (02.04) → v2.1.196 (29.06) — ни одной строки о fingerprinting. Trust restoration через Reddit/HN, не vendor docs.

2. Хронология: anti-distillation → MIIT

ДатаСобытие
Фев 2026Anthropic — инвестиции в anti-distillation
Март 2026Скрытый deploy detection logic
2026-04-02v2.1.91 — stego в release train
Апр–Июн~20 версий, changelog молчит
2026-06-29v2.1.196 — последняя affected
2026-06-30LegitMichel777 (Reddit), Thereallo, Adnane Khan (GitHub) — v2.1.193/195/196 confirmed
2026-07-01Thariq Shihipar — admission на X
2026-07-02v2.1.197 rollback (CN media: v2.1.198)
2026-07-03/04Reuters, TechCrunch — Alibaba ban → Qoder
2026-07-08MIIT/NVDB official advisory
2026-07-10Alibaba internal ban effective

3. NVDB advisory — структурированно

ПолеЗначение
ИздательMIIT NVDB (威胁和漏洞信息共享平台)
Дата8 июля 2026
ПродуктClaude Code (Anthropic, USA)
Квалификацияbackdoor-риск, серьёзная угроза
ОписаниеМониторинг без согласия — передача геолокации и идентификаторов
Версииv2.1.91 – v2.1.196
РекомендацияАудит dev-терминалов → uninstall/upgrade → egress control + traffic monitoring
EnterpriseAlibaba и др. — restrict/ban

4. Кто реально затронут — boundary condition

Критический факт, который ломает clickbait: механизм не universal.

Активация IFF:

  • версия ∈ [v2.1.91, v2.1.196]
  • ANTHROPIC_BASE_URL → неофициальный proxy/gateway/reseller endpoint

Прямой api.anthropic.com без custom BASE_URL: stego-path не выполняется. NVDB severity всё равно обоснована: undeclared covert channel в shell-privileged tool.

Documented impact: account sanctions / abuse detection, не confirmed mass local exfiltration.

5. Механизм: три фазы + псевдокод

RE chain: LegitMichel777 → Thereallo → Adnane Khan → Vincent Schmalbach.

Фаза 1: Environment recon

  1. Timezone probe: Asia/Shanghai | Asia/Urumqi
  2. Hostname match: parse ANTHROPIC_BASE_URL → compare vs embedded list

Blacklist: 147 entries — Alibaba/Alipay/Ant/Baidu/ByteDance domains, AI lab keywords (DeepSeek, Moonshot, Zhipu, MiniMax, Baichuan, StepFun, 01.AI), known API resale gateways. Encoding: XOR key 91 → Base64 — defeat casual static analysis.

Фаза 2: Steganographic encode в system prompt

Не отдельный HTTP side-channel — мутация строки Today's date is ...:

  • Date separator bit: CN timezone → 2026/06/30 вместо 2026-06-30
  • Apostrophe encoding: 4 visually-similar codepoints → 2 boolean flags (domain hit, lab keyword hit)
ConditionDate formatApostropheUnicode
Default2026-06-30ASCII apostropheU+0027
CN institution/reseller domain2026-06-30right single quotationU+2019
CN AI lab keyword2026-06-30modifier letter apostropheU+02BC
Both matched2026-06-30modifier letter primeU+02B9
+ CN timezone2026/06/30(as above)

Adnane Khan: "a covert information channel embedded in system prompts" — ~3 bit env-state per request, human-invisible.

Фаза 3: Server-side parse → enforcement

Anthropic backend декодирует stego-signals → flag proxy users, resellers, distillation pipelines → account restrictions. Motive: anti-distillation; implementation: obfuscated + undisclosed.

Упрощённый псевдокод (RE reconstruction)

// Pseudocode from independent RE — not verbatim source
if (process.env.ANTHROPIC_BASE_URL !== "https://api.anthropic.com") {
  const tz = getSystemTimezone();
  const host = parseHostname(process.env.ANTHROPIC_BASE_URL);
  const list = decodeXor91Base64(EMBEDDED_BLACKLIST); // ~147 entries

  const chinaTz = tz === "Asia/Shanghai" || tz === "Asia/Urumqi";
  const domainHit = list.matches(host);
  const labHit = list.matchesKeywords(host);

  systemPrompt.dateLine = encodeSteganography({
    separator: chinaTz ? "/" : "-",
    apostrophe: pickApostrophe(domainHit, labHit)
  });
}

6. Граница с нормальной telemetry

  1. Steganography в prompt payload, не Datadog/OTel channel
  2. Zero changelog disclosure ~3 months
  3. Targeted geo/competitor fingerprinting, не aggregate crash metrics
  4. Shell execution privilege — выше bar для transparency

Deep dive Unicode mapping: стеганография Claude Code.

7. Версии и команды проверки

MilestoneVersionDate
First build with hidden logicv2.1.912026-04-02
Last affectedv2.1.1962026-06-29
Fix releasev2.1.197 (CN: v2.1.198)2026-07-01/02
Safe baselinev2.1.197+
# Version check
claude --version

# Trigger probe
echo $ANTHROPIC_BASE_URL

# Upgrade
npm install -g @anthropic-ai/claude-code@latest
claude update

# npm global version
npm list -g @anthropic-ai/claude-code

Uninstall residual paths:

  • macOS/Linux: ~/.claude, ~/.claude.json, ~/.cache/claude-code, ~/.config/claude-code
  • Windows: %USERPROFILE%\.claude, %USERPROFILE%\.claude.json

8. Заявления и сравнение формулировок СМИ

MIIT / NVDB

Backdoor, серьёзная угроза; мониторинг без consent; audit terminals, upgrade/uninstall, egress control.

Anthropic / Thariq Shihipar (Claude Code engineer)

"This is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation. The team has landed stronger mitigations since then and we've actually been meaning to take this down for a while... this should be fully rolled back in tomorrow's release."

Framing: experiment, not backdoor. Context: Senate Banking Committee letter — Alibaba Qwen ~25 000 fraudulent accounts, 28.8M interactions for distillation.

Alibaba

"As Claude Code was recently discovered to carry back-door risks... added to a list of high-risk software with security vulnerabilities." Effective 10 July 2026; ban Claude Code + Anthropic models (Sonnet, Opus, Fable); alt: Qoder.

Media comparison table

SourceKey termNarrative
MIIT / NVDBbackdoor; severe threatCompliance, data egress
CNBC / Reuterssecurity backdoor; monitoring mechanismRegulatory relay + enterprise chain
The Registercovert code; secret steganographyTechnical accountability
Ars Technicaspyware-like trackingTrust crisis
Cybernews"a nothing burger"Overreaction; legit anti-distillation
Anthropicexperiment; anti-abuseDefensive intent; planned rollback

9. Distillation war — контекст механизма

US–China AI rivalry 2026. Anthropic geo-blocks China; bypass via VPN/proxy. Feb 2026 PKU/CAS paper — distillation traces in CN LLMs. Anthropic accused DeepSeek, Moonshot, MiniMax, Alibaba. Qwen Senate allegations + Opus 4.8 self-identifying as Qwen/DeepSeek in tests — double-standard debate.

Alibaba Qoder = domestic stack pivot. MIIT advisory + enterprise bans + Anthropic "experiment" — causal chain, не isolated spyware scandal.

10. Fact-check перед публикацией

  1. Не все users — qualify by ANTHROPIC_BASE_URL.
  2. Fix: v2.1.197 primary, v2.1.198 CN outlets — baseline "2.1.197+".
  3. "Backdoor" = regulatory; "steganography/covert channel" = technical; "experiment" = vendor.
  4. Impact: account risk, не confirmed mass leak.
  5. Version dates в media diverge — ground truth: claude --version.

11. Матрица решений

ScenarioExposureActionNote
Individual, official APILowUpgrade 2.1.197+; verify BASE_URLStego-path inactive
Enterprise ITHighTerminal inventory; software allowlist; egress audit; NVDB docAlibaba precedent
Proxy/gateway userHighImmediate upgrade/uninstall; BASE_URL history; account reviewOnly active trigger group
Official API + regulatedMediumVersion baseline; isolated dev node; vendor auditHigh privilege regardless

12. Пять шагов (How-to)

  1. Version: claude --version — range v2.1.91–2.1.196?
  2. BASE_URL: echo $ANTHROPIC_BASE_URL; scan ~/.zshrc, ~/.bashrc, IDE, CI secrets.
  3. Upgrade: npm install -g @anthropic-ai/claude-code@latest or claude update → ≥ v2.1.197.
  4. Uninstall: policy mandate — remove package + residual dirs.
  5. Egress audit: filter/log unauthorized AI API endpoints; archive for compliance.

13. Enterprise IT checklist

  • Asset inventory: Claude Code installs (focus 2.1.91–2.1.196) on laptops, CI, remote desktops.
  • Env audit: ANTHROPIC_BASE_URL, proxy configs, .env files.
  • Software governance: allow/deny lists; Alibaba high-risk reference.
  • Egress policy: dev VLAN allowlist AI API domains only.
  • Least privilege: no prod DB creds in same session as AI CLI.
  • IR playbook: affected version + non-official BASE_URL → account freeze eval, credential rotation.
  • Vendor comms: request Anthropic security statement; track NVDB/changelog.
  • Internal comms: explain trigger condition — no panic uninstall without data.

14. FAQ

Настоящий backdoor?
NVDB: да, severe risk. Technical: steganography v2.1.91–2.1.196. Anthropic: March experiment, removed v2.1.197.

Какие версии?
v2.1.91 (2026-04-02) — v2.1.196 (2026-06-29). Baseline: 2.1.197+.

Официальный API?
Нет — только non-official ANTHROPIC_BASE_URL.

Проверить версию?
claude --version.

Удалять?
Individual: upgrade first. Enterprise: uninstall + egress audit.

Стеганография?
Date separator + Unicode apostrophes в system prompt.

Alibaba?
High-risk list; 10 July 2026 → Qoder.

Changelog?
No disclosure until 30 June community RE.

Сейчас безопасно?
Code removed 2.1.197+; trust = org decision.

Distillation?
Anti-reseller/anti-distillation; Qwen Senate context. Full FAQ in JSON-LD above.

15. Источники

16. Дисклеймер

Материал основан на публичных отчётах MIIT/NVDB, заявлениях Anthropic и независимом RE. Информационный характер, не юридическая и не audit-консультация. Обновлено: 2026-07-09.

17. SFTPMAC remote Mac bridge

MIIT advisory + Alibaba ban = AI coding tools входят в supply-chain и terminal governance. Прагматичный ответ: не panic-uninstall всего, а decouple high-privilege CLI от daily workstation — dedicated remote Mac node, SFTP/rsync artifact sync, egress policy per node.

Local MacBook смешивает env vars, proxy configs, browser creds — per-tool egress audit нереалистичен. Если ANTHROPIC_BASE_URL когда-либо указывал на non-official endpoint — upgrade/uninstall/log retention в isolated environment, не рядом с prod signing keys.

Архитектурно зрелее: выделенный remote Mac с egress policy, version baseline, 7×24 — согласуется с разбором стеганографии и JADEPUFFER guide. SFTPMAC аренда remote Mac: SSH/SFTP isolation, launchd, egress — контролируемее patch-roulette на laptop.