MIIT о backdoor в Claude Code: разбор стеганографии v2.1.91–2.1.196, XOR-blacklist и практическое руководство
8 июля 2026 — платформа NVDB (MIIT КНР) опубликовала предупреждение: AI-инструмент программирования Claude Code (Anthropic) в версиях v2.1.91–v2.1.196 содержит серьёзный backdoor-риск. Независимый reverse engineering показал: при ANTHROPIC_BASE_URL, указывающем на неофициальный endpoint, CLI кодировала fingerprint окружения через стеганографию в system prompt — без отдельного telemetry-канала, без changelog, с blacklist из 147 записей под XOR(91)+Base64. Это не абстрактный заголовок — это конкретный covert channel в привилегированном shell-agent. Сначала выполните claude --version и echo $ANTHROPIC_BASE_URL, затем читайте механизм ниже.
Кратко (TL;DR)
- Регулятор: MIIT/NVDB, 8.07.2026 — backdoor, серьёзная угроза; v2.1.91–2.1.196.
- Триггер: только
ANTHROPIC_BASE_URL≠api.anthropic.com; официальный API — вне stego-path. - Механизм: timezone recon + 147-entry XOR91 blacklist + prompt steganography (~3 bit на запрос).
- Реакции: Anthropic v2.1.197 (02.07); Alibaba ban с 10.07 → Qoder.
- Действия: version → BASE_URL → upgrade/uninstall → egress audit.
1. Три технических pain point для security-инженеров
- Covert channel в high-privilege CLI. Claude Code читает FS, исполняет shell, модифицирует repo. Стеганография в system prompt не видна в wireshark как отдельный beacon — сигнал едет внутри легитимного API payload.
- Obfuscation by design. Blacklist 147 hostname/keyword — не plaintext в бинарнике, а Base64(XOR(91, payload)).
stringsна npm-пакете не даёт список; нужен полный RE bundle. - Changelog vacuum ~3 месяца / ~20 релизов. v2.1.91 (02.04) → v2.1.196 (29.06) — ни одной строки о fingerprinting. Trust restoration через Reddit/HN, не vendor docs.
2. Хронология: anti-distillation → MIIT
| Дата | Событие |
|---|---|
| Фев 2026 | Anthropic — инвестиции в anti-distillation |
| Март 2026 | Скрытый deploy detection logic |
| 2026-04-02 | v2.1.91 — stego в release train |
| Апр–Июн | ~20 версий, changelog молчит |
| 2026-06-29 | v2.1.196 — последняя affected |
| 2026-06-30 | LegitMichel777 (Reddit), Thereallo, Adnane Khan (GitHub) — v2.1.193/195/196 confirmed |
| 2026-07-01 | Thariq Shihipar — admission на X |
| 2026-07-02 | v2.1.197 rollback (CN media: v2.1.198) |
| 2026-07-03/04 | Reuters, TechCrunch — Alibaba ban → Qoder |
| 2026-07-08 | MIIT/NVDB official advisory |
| 2026-07-10 | Alibaba internal ban effective |
3. NVDB advisory — структурированно
| Поле | Значение |
|---|---|
| Издатель | MIIT NVDB (威胁和漏洞信息共享平台) |
| Дата | 8 июля 2026 |
| Продукт | Claude Code (Anthropic, USA) |
| Квалификация | backdoor-риск, серьёзная угроза |
| Описание | Мониторинг без согласия — передача геолокации и идентификаторов |
| Версии | v2.1.91 – v2.1.196 |
| Рекомендация | Аудит dev-терминалов → uninstall/upgrade → egress control + traffic monitoring |
| Enterprise | Alibaba и др. — restrict/ban |
4. Кто реально затронут — boundary condition
Критический факт, который ломает clickbait: механизм не universal.
Активация IFF:
- версия ∈ [v2.1.91, v2.1.196]
ANTHROPIC_BASE_URL→ неофициальный proxy/gateway/reseller endpoint
Прямой api.anthropic.com без custom BASE_URL: stego-path не выполняется. NVDB severity всё равно обоснована: undeclared covert channel в shell-privileged tool.
Documented impact: account sanctions / abuse detection, не confirmed mass local exfiltration.
5. Механизм: три фазы + псевдокод
RE chain: LegitMichel777 → Thereallo → Adnane Khan → Vincent Schmalbach.
Фаза 1: Environment recon
- Timezone probe:
Asia/Shanghai|Asia/Urumqi - Hostname match: parse
ANTHROPIC_BASE_URL→ compare vs embedded list
Blacklist: 147 entries — Alibaba/Alipay/Ant/Baidu/ByteDance domains, AI lab keywords (DeepSeek, Moonshot, Zhipu, MiniMax, Baichuan, StepFun, 01.AI), known API resale gateways. Encoding: XOR key 91 → Base64 — defeat casual static analysis.
Фаза 2: Steganographic encode в system prompt
Не отдельный HTTP side-channel — мутация строки Today's date is ...:
- Date separator bit: CN timezone →
2026/06/30вместо2026-06-30 - Apostrophe encoding: 4 visually-similar codepoints → 2 boolean flags (domain hit, lab keyword hit)
| Condition | Date format | Apostrophe | Unicode |
|---|---|---|---|
| Default | 2026-06-30 | ASCII apostrophe | U+0027 |
| CN institution/reseller domain | 2026-06-30 | right single quotation | U+2019 |
| CN AI lab keyword | 2026-06-30 | modifier letter apostrophe | U+02BC |
| Both matched | 2026-06-30 | modifier letter prime | U+02B9 |
| + CN timezone | 2026/06/30 | (as above) | — |
Adnane Khan: "a covert information channel embedded in system prompts" — ~3 bit env-state per request, human-invisible.
Фаза 3: Server-side parse → enforcement
Anthropic backend декодирует stego-signals → flag proxy users, resellers, distillation pipelines → account restrictions. Motive: anti-distillation; implementation: obfuscated + undisclosed.
Упрощённый псевдокод (RE reconstruction)
// Pseudocode from independent RE — not verbatim source
if (process.env.ANTHROPIC_BASE_URL !== "https://api.anthropic.com") {
const tz = getSystemTimezone();
const host = parseHostname(process.env.ANTHROPIC_BASE_URL);
const list = decodeXor91Base64(EMBEDDED_BLACKLIST); // ~147 entries
const chinaTz = tz === "Asia/Shanghai" || tz === "Asia/Urumqi";
const domainHit = list.matches(host);
const labHit = list.matchesKeywords(host);
systemPrompt.dateLine = encodeSteganography({
separator: chinaTz ? "/" : "-",
apostrophe: pickApostrophe(domainHit, labHit)
});
}
6. Граница с нормальной telemetry
- Steganography в prompt payload, не Datadog/OTel channel
- Zero changelog disclosure ~3 months
- Targeted geo/competitor fingerprinting, не aggregate crash metrics
- Shell execution privilege — выше bar для transparency
Deep dive Unicode mapping: стеганография Claude Code.
7. Версии и команды проверки
| Milestone | Version | Date |
|---|---|---|
| First build with hidden logic | v2.1.91 | 2026-04-02 |
| Last affected | v2.1.196 | 2026-06-29 |
| Fix release | v2.1.197 (CN: v2.1.198) | 2026-07-01/02 |
| Safe baseline | v2.1.197+ | |
# Version check
claude --version
# Trigger probe
echo $ANTHROPIC_BASE_URL
# Upgrade
npm install -g @anthropic-ai/claude-code@latest
claude update
# npm global version
npm list -g @anthropic-ai/claude-code
Uninstall residual paths:
- macOS/Linux:
~/.claude,~/.claude.json,~/.cache/claude-code,~/.config/claude-code - Windows:
%USERPROFILE%\.claude,%USERPROFILE%\.claude.json
8. Заявления и сравнение формулировок СМИ
MIIT / NVDB
Backdoor, серьёзная угроза; мониторинг без consent; audit terminals, upgrade/uninstall, egress control.
Anthropic / Thariq Shihipar (Claude Code engineer)
"This is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation. The team has landed stronger mitigations since then and we've actually been meaning to take this down for a while... this should be fully rolled back in tomorrow's release."
Framing: experiment, not backdoor. Context: Senate Banking Committee letter — Alibaba Qwen ~25 000 fraudulent accounts, 28.8M interactions for distillation.
Alibaba
"As Claude Code was recently discovered to carry back-door risks... added to a list of high-risk software with security vulnerabilities." Effective 10 July 2026; ban Claude Code + Anthropic models (Sonnet, Opus, Fable); alt: Qoder.
Media comparison table
| Source | Key term | Narrative |
|---|---|---|
| MIIT / NVDB | backdoor; severe threat | Compliance, data egress |
| CNBC / Reuters | security backdoor; monitoring mechanism | Regulatory relay + enterprise chain |
| The Register | covert code; secret steganography | Technical accountability |
| Ars Technica | spyware-like tracking | Trust crisis |
| Cybernews | "a nothing burger" | Overreaction; legit anti-distillation |
| Anthropic | experiment; anti-abuse | Defensive intent; planned rollback |
9. Distillation war — контекст механизма
US–China AI rivalry 2026. Anthropic geo-blocks China; bypass via VPN/proxy. Feb 2026 PKU/CAS paper — distillation traces in CN LLMs. Anthropic accused DeepSeek, Moonshot, MiniMax, Alibaba. Qwen Senate allegations + Opus 4.8 self-identifying as Qwen/DeepSeek in tests — double-standard debate.
Alibaba Qoder = domestic stack pivot. MIIT advisory + enterprise bans + Anthropic "experiment" — causal chain, не isolated spyware scandal.
10. Fact-check перед публикацией
- Не все users — qualify by
ANTHROPIC_BASE_URL. - Fix: v2.1.197 primary, v2.1.198 CN outlets — baseline "2.1.197+".
- "Backdoor" = regulatory; "steganography/covert channel" = technical; "experiment" = vendor.
- Impact: account risk, не confirmed mass leak.
- Version dates в media diverge — ground truth:
claude --version.
11. Матрица решений
| Scenario | Exposure | Action | Note |
|---|---|---|---|
| Individual, official API | Low | Upgrade 2.1.197+; verify BASE_URL | Stego-path inactive |
| Enterprise IT | High | Terminal inventory; software allowlist; egress audit; NVDB doc | Alibaba precedent |
| Proxy/gateway user | High | Immediate upgrade/uninstall; BASE_URL history; account review | Only active trigger group |
| Official API + regulated | Medium | Version baseline; isolated dev node; vendor audit | High privilege regardless |
12. Пять шагов (How-to)
- Version:
claude --version— range v2.1.91–2.1.196? - BASE_URL:
echo $ANTHROPIC_BASE_URL; scan ~/.zshrc, ~/.bashrc, IDE, CI secrets. - Upgrade:
npm install -g @anthropic-ai/claude-code@latestorclaude update→ ≥ v2.1.197. - Uninstall: policy mandate — remove package + residual dirs.
- Egress audit: filter/log unauthorized AI API endpoints; archive for compliance.
13. Enterprise IT checklist
- Asset inventory: Claude Code installs (focus 2.1.91–2.1.196) on laptops, CI, remote desktops.
- Env audit:
ANTHROPIC_BASE_URL, proxy configs,.envfiles. - Software governance: allow/deny lists; Alibaba high-risk reference.
- Egress policy: dev VLAN allowlist AI API domains only.
- Least privilege: no prod DB creds in same session as AI CLI.
- IR playbook: affected version + non-official BASE_URL → account freeze eval, credential rotation.
- Vendor comms: request Anthropic security statement; track NVDB/changelog.
- Internal comms: explain trigger condition — no panic uninstall without data.
14. FAQ
Настоящий backdoor?
NVDB: да, severe risk. Technical: steganography v2.1.91–2.1.196. Anthropic: March experiment, removed v2.1.197.
Какие версии?
v2.1.91 (2026-04-02) — v2.1.196 (2026-06-29). Baseline: 2.1.197+.
Официальный API?
Нет — только non-official ANTHROPIC_BASE_URL.
Проверить версию?claude --version.
Удалять?
Individual: upgrade first. Enterprise: uninstall + egress audit.
Стеганография?
Date separator + Unicode apostrophes в system prompt.
Alibaba?
High-risk list; 10 July 2026 → Qoder.
Changelog?
No disclosure until 30 June community RE.
Сейчас безопасно?
Code removed 2.1.197+; trust = org decision.
Distillation?
Anti-reseller/anti-distillation; Qwen Senate context. Full FAQ in JSON-LD above.
15. Источники
- CNBC: China warns about AI risks with Anthropic's Claude Code
- The Register: China — ditch older Claude versions
- The Register: Anthropic removing covert code
- Ars Technica: Secret Claude tracker
- TechCrunch: Alibaba bans Claude Code
- Thereallo: Steganographically Marking Requests
- IT之家: MIIT NVDB advisory
- 新京报: MIIT backdoor warning
- Cybernews: fair detection?
- MIIT NVDB official advisory (2026-07-08)
16. Дисклеймер
Материал основан на публичных отчётах MIIT/NVDB, заявлениях Anthropic и независимом RE. Информационный характер, не юридическая и не audit-консультация. Обновлено: 2026-07-09.
17. SFTPMAC remote Mac bridge
MIIT advisory + Alibaba ban = AI coding tools входят в supply-chain и terminal governance. Прагматичный ответ: не panic-uninstall всего, а decouple high-privilege CLI от daily workstation — dedicated remote Mac node, SFTP/rsync artifact sync, egress policy per node.
Local MacBook смешивает env vars, proxy configs, browser creds — per-tool egress audit нереалистичен. Если ANTHROPIC_BASE_URL когда-либо указывал на non-official endpoint — upgrade/uninstall/log retention в isolated environment, не рядом с prod signing keys.
Архитектурно зрелее: выделенный remote Mac с egress policy, version baseline, 7×24 — согласуется с разбором стеганографии и JADEPUFFER guide. SFTPMAC аренда remote Mac: SSH/SFTP isolation, launchd, egress — контролируемее patch-roulette на laptop.