Reverse Engineering 2026-07-03

Claude Code — spyware?
Unicode covert channel & ANTHROPIC_BASE_URL fingerprint

Hardcore-разбор: при ANTHROPIC_BASE_URLapi.anthropic.com CLI Claude Code (не web UI) якобы мутировал system prompt — строку Today's date is ... — подменой homoglyph-апострофа (code points U+0027 / U+2019 / U+02BC / U+02B9) и flip separator даты при TZ Asia/Shanghai | Asia/Urumqi. Classifier lists: base64 → XOR(91), ~147 domain rules. Affected builds: 2.1.193, 2.1.195, 2.1.196. Patch: 2.1.197 (2026-07-01). Ниже — diff инцидентов A/B, mapping table, HN 350+, 6 hardening steps, FAQ×8, Mac isolation runbook.

System prompt Claude Code с alleged U+2019 apostrophe fingerprint для proxy users

⚠️ Snapshot 2026-07-03. Alleged/reported wording. Not legal advice. Vendor disclosure incomplete.

01 · Spec summary

Parameter Value (reported)
Disclosure B2026-06-30, thereallo.dev → Reddit → HN
GateANTHROPIC_BASE_URL ≠ api.anthropic.com
CarrierSystem prompt line Today's date is YYYY-MM-DD
Encoding4 apostrophe code points + optional / date sep
List obfuscationbase64 decode → XOR each byte with 91
Rule count~147 hostname patterns + lab keywords
Vulnerable2.1.193, 2.1.195, 2.1.196
Fixed2.1.197 (2026-07-01), silent changelog

02 · Incident A vs B diff

Field A: Native Messaging B: Prompt steganography
BinaryClaude DesktopClaude Code CLI
SourceAlexander Hanff, Apr 2026thereallo.dev, 2026-06-30
MechanismWrites com.anthropic.claude_browser_extension.jsonchrome-native-host outside sandboxMutates prompt bytes on non-official ANTHROPIC_BASE_URL
TriggerDesktop install/launchCustom base URL only
ClassificationPrivilege escalation / spyware-adjacentCovert channel / undisclosed telemetry
Vendor fixToggle later, underlying model retainedRemoved in 2.1.197

03 · Trigger: ANTHROPIC_BASE_URL

Logic gate: hostname resolved from ANTHROPIC_BASE_URL must differ from official Anthropic API. Config paths: ~/.claude/settings.json, shell export, CI secrets. Relay users documented in token guide were in alleged trigger set — not every paying customer hitting SF directly.

Post-gate: string match against XOR-deobfuscated lists. Keywords reportedly include deepseek, moonshot, zhipu, minimax, baichuan, stepfun, 01ai. Output: select apostrophe variant + optional date separator flip.

04 · Unicode code point table

Match state Date string Glyph in Today's Code point
NONE2026-06-30APOSTROPHE (ASCII)U+0027
DOMAIN_CN_RESELLER2026-06-30RIGHT SINGLE QUOTATION MARKU+2019
LAB_KEYWORD2026-06-30MODIFIER LETTER APOSTROPHEU+02BC
DOMAIN + LAB2026-06-30MODIFIER LETTER PRIMEU+02B9
Any above + CN TZ2026/06/30Per row above

Server-side parser reads code points — human eye and most log pipelines see identical UTF-8 rendering. Classic steganography: payload in carrier that already ships every request.

05 · base64+XOR(91), 147 rules

Extraction pipeline from binary: locate blob → base64 decode → byte ^ 91 per octet. Not crypto — anti-strings concealment. Decoded content: reseller domains, cloud gateways, university mirrors, lab-associated hosts. Obfuscation ≠ consent.

06 · Version matrix & 2.1.197

Confirmed in 2.1.193, 2.1.195, 2.1.196 — weeks before public disclosure. 2.1.197 (2026-07-01) strips logic; changelog omission fueled HN distrust. Pin minimum version in fleet runbooks. Verify: claude --version + capture outbound request body hash on your actual Base URL config.

07 · HN thread 350+

Front-page thread: 350+ points, 100+ comments. Split: anti-distillation defense vs covert-method rejection. Economic context: OpenRouter June 2026. Export pressure: Fable 5 ban. Tooling compare: Cursor vs Claude vs Copilot.

08 · Hardening: 6 steps

  1. Audit ANTHROPIC_BASE_URL — settings.json, shell profiles, CI vault.
  2. Upgrade ≥ 2.1.197 — verify with claude --version; capture test prompt hex dump.
  3. Hunt Native Messaging manifests~/Library/Application Support/*/NativeMessagingHosts/com.anthropic.claude_browser_extension.json
  4. Log TZ exposuresystemsetup -gettimezone alongside Base URL in audit sheet.
  5. Segment prod secrets — separate macOS user or dedicated hardware for Claude agents.
  6. Procurement clauses — mandate disclosure of prompt mutation; escalate via Anthropic IPO context.

09 · FAQ ×8

Claude Code — spyware?

Covert channel, not classic malware. Removed in 2.1.197.

Timezone tracking?

Asia/Shanghai, Asia/Urumqi — only with non-default ANTHROPIC_BASE_URL.

Unicode apostrophe trick?

U+0027 / U+2019 / U+02BC / U+02B9 encode classifier output in Today's.

Why Anthropic built it?

Likely anti-distillation + anti-resale. Intent defensible; implementation not.

Same as Claude Desktop story?

No. A = Apr Native Messaging. B = Jun prompt steganography.

Web Claude users affected?

No — only Claude Code with proxy Base URL.

Remove injected browser files?

Delete manifest from NativeMessagingHosts; Desktop restart may recreate.

Fingerprint removed?

Yes — 2.1.197, 2026-07-01. Present in 2.1.193–2.1.196.

10 · Mac isolation runbook ×5

  1. Inventory — Claude Code CLI, Desktop, Cursor hooks, CI jobs with Anthropic creds.
  2. Provision clean Apple Silicondaily rental FAQ, fresh Keychain.
  3. Reproduce signals — point Base URL at test relay, hex-diff apostrophe code points, pin 2.1.196 vs 2.1.197.
  4. Scan incident A artifacts — automate find across NativeMessagingHosts before fleet rollout.
  5. Decision memo — version pins, allowed URLs; regulated data context if applicable.

11 · Bare-metal Mac rental CTA

Don't reverse-engineer on CEO laptop. Isolated Apple Silicon node: install Claude Code, toggle ANTHROPIC_BASE_URL, diff system prompts, wipe manifests — zero prod Keychain pollution. Daily Mac mini M4 rental < IR cost. Authentic macOS for Keychain/code-signing/Desktop behavior — not VM/Hackintosh. Pricing: M4 pricing, bare-metal rates.

Updated: 2026-07-03.