Claude Code — spyware?
Unicode covert channel & ANTHROPIC_BASE_URL fingerprint
Hardcore-разбор: при ANTHROPIC_BASE_URL ≠ api.anthropic.com CLI Claude Code (не web UI) якобы мутировал system prompt — строку Today's date is ... — подменой homoglyph-апострофа (code points U+0027 / U+2019 / U+02BC / U+02B9) и flip separator даты при TZ Asia/Shanghai | Asia/Urumqi. Classifier lists: base64 → XOR(91), ~147 domain rules. Affected builds: 2.1.193, 2.1.195, 2.1.196. Patch: 2.1.197 (2026-07-01). Ниже — diff инцидентов A/B, mapping table, HN 350+, 6 hardening steps, FAQ×8, Mac isolation runbook.
TOC
⚠️ Snapshot 2026-07-03. Alleged/reported wording. Not legal advice. Vendor disclosure incomplete.
01 · Spec summary
| Parameter | Value (reported) |
|---|---|
| Disclosure B | 2026-06-30, thereallo.dev → Reddit → HN |
| Gate | ANTHROPIC_BASE_URL ≠ api.anthropic.com |
| Carrier | System prompt line Today's date is YYYY-MM-DD |
| Encoding | 4 apostrophe code points + optional / date sep |
| List obfuscation | base64 decode → XOR each byte with 91 |
| Rule count | ~147 hostname patterns + lab keywords |
| Vulnerable | 2.1.193, 2.1.195, 2.1.196 |
| Fixed | 2.1.197 (2026-07-01), silent changelog |
02 · Incident A vs B diff
| Field | A: Native Messaging | B: Prompt steganography |
|---|---|---|
| Binary | Claude Desktop | Claude Code CLI |
| Source | Alexander Hanff, Apr 2026 | thereallo.dev, 2026-06-30 |
| Mechanism | Writes com.anthropic.claude_browser_extension.json → chrome-native-host outside sandbox | Mutates prompt bytes on non-official ANTHROPIC_BASE_URL |
| Trigger | Desktop install/launch | Custom base URL only |
| Classification | Privilege escalation / spyware-adjacent | Covert channel / undisclosed telemetry |
| Vendor fix | Toggle later, underlying model retained | Removed in 2.1.197 |
03 · Trigger: ANTHROPIC_BASE_URL
Logic gate: hostname resolved from ANTHROPIC_BASE_URL must differ from official Anthropic API. Config paths: ~/.claude/settings.json, shell export, CI secrets. Relay users documented in token guide were in alleged trigger set — not every paying customer hitting SF directly.
Post-gate: string match against XOR-deobfuscated lists. Keywords reportedly include deepseek, moonshot, zhipu, minimax, baichuan, stepfun, 01ai. Output: select apostrophe variant + optional date separator flip.
04 · Unicode code point table
| Match state | Date string | Glyph in Today's | Code point |
|---|---|---|---|
| NONE | 2026-06-30 | APOSTROPHE (ASCII) | U+0027 |
| DOMAIN_CN_RESELLER | 2026-06-30 | RIGHT SINGLE QUOTATION MARK | U+2019 |
| LAB_KEYWORD | 2026-06-30 | MODIFIER LETTER APOSTROPHE | U+02BC |
| DOMAIN + LAB | 2026-06-30 | MODIFIER LETTER PRIME | U+02B9 |
| Any above + CN TZ | 2026/06/30 | Per row above | — |
Server-side parser reads code points — human eye and most log pipelines see identical UTF-8 rendering. Classic steganography: payload in carrier that already ships every request.
05 · base64+XOR(91), 147 rules
Extraction pipeline from binary: locate blob → base64 decode → byte ^ 91 per octet. Not crypto — anti-strings concealment. Decoded content: reseller domains, cloud gateways, university mirrors, lab-associated hosts. Obfuscation ≠ consent.
06 · Version matrix & 2.1.197
Confirmed in 2.1.193, 2.1.195, 2.1.196 — weeks before public disclosure. 2.1.197 (2026-07-01) strips logic; changelog omission fueled HN distrust. Pin minimum version in fleet runbooks. Verify: claude --version + capture outbound request body hash on your actual Base URL config.
07 · HN thread 350+
Front-page thread: 350+ points, 100+ comments. Split: anti-distillation defense vs covert-method rejection. Economic context: OpenRouter June 2026. Export pressure: Fable 5 ban. Tooling compare: Cursor vs Claude vs Copilot.
08 · Hardening: 6 steps
- Audit
ANTHROPIC_BASE_URL— settings.json, shell profiles, CI vault. - Upgrade ≥ 2.1.197 — verify with
claude --version; capture test prompt hex dump. - Hunt Native Messaging manifests —
~/Library/Application Support/*/NativeMessagingHosts/com.anthropic.claude_browser_extension.json - Log TZ exposure —
systemsetup -gettimezonealongside Base URL in audit sheet. - Segment prod secrets — separate macOS user or dedicated hardware for Claude agents.
- Procurement clauses — mandate disclosure of prompt mutation; escalate via Anthropic IPO context.
09 · FAQ ×8
Claude Code — spyware?
Covert channel, not classic malware. Removed in 2.1.197.
Timezone tracking?
Asia/Shanghai, Asia/Urumqi — only with non-default ANTHROPIC_BASE_URL.
Unicode apostrophe trick?
U+0027 / U+2019 / U+02BC / U+02B9 encode classifier output in Today's.
Why Anthropic built it?
Likely anti-distillation + anti-resale. Intent defensible; implementation not.
Same as Claude Desktop story?
No. A = Apr Native Messaging. B = Jun prompt steganography.
Web Claude users affected?
No — only Claude Code with proxy Base URL.
Remove injected browser files?
Delete manifest from NativeMessagingHosts; Desktop restart may recreate.
Fingerprint removed?
Yes — 2.1.197, 2026-07-01. Present in 2.1.193–2.1.196.
10 · Mac isolation runbook ×5
- Inventory — Claude Code CLI, Desktop, Cursor hooks, CI jobs with Anthropic creds.
- Provision clean Apple Silicon — daily rental FAQ, fresh Keychain.
- Reproduce signals — point Base URL at test relay, hex-diff apostrophe code points, pin 2.1.196 vs 2.1.197.
- Scan incident A artifacts — automate find across NativeMessagingHosts before fleet rollout.
- Decision memo — version pins, allowed URLs; regulated data context if applicable.
11 · Bare-metal Mac rental CTA
Don't reverse-engineer on CEO laptop. Isolated Apple Silicon node: install Claude Code, toggle ANTHROPIC_BASE_URL, diff system prompts, wipe manifests — zero prod Keychain pollution. Daily Mac mini M4 rental < IR cost. Authentic macOS for Keychain/code-signing/Desktop behavior — not VM/Hackintosh. Pricing: M4 pricing, bare-metal rates.
Updated: 2026-07-03.