Anthropic's Claude Code secretly embedded hidden markers to flag users linked to 147 Chinese domains and AI labs, developers disclosed this week. Key Points Claude Code encoded proxy and time
Anthropic's Claude Code secretly embedded hidden markers to flag users linked to 147 Chinese domains and AI labs, developers disclosed this week.
Key Points
- Claude Code encoded proxy and timezone details into invisible Unicode markers hidden in system prompts, developers found
- The mechanism checked configurations against 147 Chinese domains and eleven AI lab keywords before altering a date line in the prompt
- Anthropic said the code will be pulled in Claude Code's next release after developers and researchers raised alarm
Hidden Prompt Markers
A developer reverse engineering Claude Code version 2.1.196 while restoring a disabled remote control feature found obfuscated code silently present since April.
The findings surfaced on Reddit on Jun. 30 under a screen name and were confirmed in a technical writeup posted on GitHub.
Analysts examined three separate Claude Code releases and found the mechanism worked identically in each one, with no mention of it in any release notes despite months of updates. It only activates when a user points Claude Code at a custom server address instead of Anthropic's own. Once triggered, the tool reads the system's timezone and checks whether it matches two cities linked to mainland China.
The proxy address is then compared against a hidden domain list of 147 entries, obfuscated to avoid turning up in a plain text search and including Baidu, Alibaba, Ant Group and ByteDance, plus eleven keywords tied to Chinese AI labs. Results get folded into the ordinary looking sentence "Today's date is...", where a hyphen switches to a slash for a Chinese timezone and a standard apostrophe swaps for one of three near identical characters.
Also Read:BitMine Defies The Selloff With A $43M Ethereum Bet, Strategy Blinks
Developer Trust Fallout
Developers reacted with alarm once the mechanism became public, arguing that a tool with access to source code and shell commands owes users a higher standard of disclosure than a chat window. A bug report filed against the project's code repository called the practice covert fingerprinting and asked what other signals might be hidden from users. Commenters noted the check could be defeated simply by changing a hostname or system clock.
That means it mostly tags ordinary developers using legitimate corporate proxies rather than the sophisticated operators it was built to catch. Anthropic has previously accused Chinese labs including DeepSeek, Moonshot AI and MiniMax of using more than 24,000 fraudulent accounts and over 16 million exchanges to copy Claude's reasoning and coding behavior earlier this year.
An Anthropic engineer acknowledged the code on social media and said it would be pulled in the following day's release, though the company had not issued a formal written statement. The episode adds to a string of security questions around Claude Code this year.
Researchers at Microsoftdisclosed a prompt injection flaw in its GitHub integration in June, Check Pointflagged three separate vulnerabilities in February, and Anthropic's own source code briefly leaked in April.
Read Next:CZ Says Binance Was Days From MiCA Approval Before Politics Hit