Claude Code quietly embedded invisible tracking markers in every system prompt it sent to Anthropic’s servers — for three months, without a single line in any changelog. The code was present from April 2 through July 1, 2026, discovered only because a developer reverse-engineered the binary, posted the findings on June 30, and watched it hit 605 points on Hacker News. Anthropic pulled the code the next day and called it “an experiment we launched in March to prevent account abuse from unauthorized resellers.” That explanation does not hold up to scrutiny.
How the Tracking Actually Worked
This was not standard telemetry. Standard telemetry logs a session ID and moves on. What Anthropic built was a three-layer steganographic system designed to be invisible to inspection.
Layer one: timezone detection. If your system clock was set to Asia/Shanghai or Asia/Urumqi, Claude Code flipped the date separator in the system prompt from a dash to a slash — “2026-06-30” became “2026/06/30.” A single invisible character difference, transmitted with every request.
Layer two: domain fingerprinting. Claude Code read your ANTHROPIC_BASE_URL environment variable and checked it against a hardcoded list of 147 domains — Chinese corporate networks, cloud providers, AI labs, and API resellers. The list was obfuscated with XOR key 91 and stored as a base64-encoded string. A second list held eleven AI-lab keywords: deepseek, moonshot, minimax, zhipu, baichuan, stepfun, dashscope, and others.
Layer three: Unicode steganography. The apostrophe in “Today’s date is” was silently replaced with one of three visually identical but technically distinct Unicode characters — right single quotation mark (U+2019), modifier letter apostrophe (U+02BC), or modifier letter prime (U+02B9) — depending on which combination of flags had triggered. Four possible states, encoded in a single invisible character. You could stare at the system prompt all day and see nothing wrong.
Every Claude Code session sent this data to Anthropic. It was not opt-in. It was not documented. It was not visible in any text editor, terminal, or API log. The original technical breakdown on thereallo.dev shows exactly how the detection code was structured.
Who Was Targeted — and Who Should Still Be Concerned
The immediate targets were developers using Chinese AI lab APIs, proxy resellers, or timezone-flagged environments. Alibaba responded by banning Claude Code entirely, effective July 10, classifying it as “high-risk software with security vulnerabilities.” Employees must uninstall Claude Code and all Anthropic model access — Sonnet, Opus, and Fable — and migrate to Alibaba’s internal Qoder platform.
But this should concern every Claude Code user, not just those in targeted regions. The mechanism was designed to be invisible. It operated on your machine, with the full filesystem and shell access Claude Code requires, for ninety days with no disclosure. If Anthropic shipped this once, the question every developer has to sit with is what else they might ship. That is not a comfortable question when the tool in question has root-level access to your development environment.
Anthropic’s Explanation Falls Short
Anthropic engineer Thariq Shihipar acknowledged the code: “This was an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation. We actually had been meaning to take it down for a while.” The stated goal — stopping unauthorized resellers and model distillation — is legitimate. The method is not.
Standard practice for this kind of detection is to document it in the privacy policy, note it in the changelog when it ships, and make it opt-out. Anthropic instead XOR-obfuscated the detection lists, built covert Unicode channels, and shipped it for three months with nothing in the release notes. The Register’s coverage captures the technical scope of what was removed. The company markets itself as the safety-first AI lab. Hidden steganographic surveillance in its flagship developer tool is a strange way to demonstrate that commitment.
What You Need to Do Now
If you use Claude Code, take these steps:
- Update now: Run
npm update -g @anthropic-ai/claude-codeto get version 2.1.197 or later, which removes the tracking code. - Verify your version: Run
claude --versionto confirm you’re on a clean build. - Audit your environment: Check your
ANTHROPIC_BASE_URLsetting. If it points anywhere other than Anthropic’s official API, understand what you’re routing through. - Assess your exposure window: Versions 2.1.91 through 2.1.196, active April 2 through July 1, 2026, carried the tracking code in every session.
- Regulated environments: If you work in a compliance-sensitive industry, determine whether this constitutes a reportable data transmission event under your applicable frameworks.
The Pattern Worth Watching
This is the second significant undisclosed event in Claude Code in 2026. In April, 512,000 lines of source code accidentally shipped via an npm packaging error and was discovered by the community on Hacker News, not disclosed by Anthropic. In July, a covert tracking system ran for ninety days and was discovered the same way.
Both incidents share the same signature: community discovery, no proactive disclosure, explanation after the fact. For a coding agent with full shell access that sits in the critical path of software development, that pattern is a problem. The security community has called this “the most aggressive hidden behaviour documented in a mainstream coding agent.” The fix is deployed. The trust question is not so easily patched.
The broader lesson: treat AI coding agents as you would any other software supply chain component. Audit versions. Monitor changelogs. Understand what your tools are sending and where they’re sending it. MLQ News has additional details on the removal and what changed in version 2.1.197.













