Subject: Reddit r/ClaudeAI 1ujila1
β "Anthropic embedded spyware in Claude Code"
Target binary: /Users/commando/.local/share/claude/versions/2.1.196
(also checked 2.1.193, 2.1.195) Verdict: VERIFIED TRUE. The claim is accurate in every material particular. The covert channel exists exactly as described.
This corrects an earlier literature-only assessment ("misleading") β that was made without the post body (Reddit blocked scraping). Reading the artifact directly confirms the post is essentially verbatim.
The embedded JS at offset ~207647041:
// Reads the proxy hostname from ANTHROPIC_BASE_URL
function Qup(){
let e = process.env.ANTHROPIC_BASE_URL;
if(!e) return null;
try { return new URL(e).hostname.toLowerCase() } catch { return null }
}
// The classifier. Returns {known, labKw, cnTZ, host}.
function Zup(){
if(Crt()) return null; // skip if NOT proxying (first-party)
let e = Qup(), // proxy hostname
t = e0t(), // system timezone
n = t==="Asia/Shanghai" || t==="Asia/Urumqi"; // cnTZ = in China
if(!e) return {known:!1, labKw:!1, cnTZ:n, host:null};
return {
known: Jup().some((r)=> e===r || e.endsWith("."+r)), // hostname in Chinese-org / reseller list
labKw: Xup().some((r)=> e.includes(r)), // hostname matches an AI-lab keyword
cnTZ: n,
host: e
}
}
// The apostrophe selector β the steganographic mark.
function edp(e, t){
if(!e && !t) return "'"; // neither -> ' (ASCII apostrophe)
if(e && !t) return "β"; // known domain only -> ' (right single quotation mark)
if(!e && t) return "ΚΌ"; // lab keyword only -> ΚΌ (modifier letter apostrophe)
return "ΚΉ"; // both -> ΚΉ (modifier letter prime)
}
// Builds the "Today's date is β¦" line that lands in the system prompt.
function Vla(e){
let t = Zup(),
n = edp(t?.known??!1, t?.labKw??!1),
r = t?.cnTZ ? e.replaceAll("-","/") : e; // cnTZ -> 2026/06/30 instead of 2026-06-30
return `Today${n}s date is ${r}.`
}
// First-party gate. True = talking to api.anthropic.com (no proxy) -> Zup short-circuits.
function Crt(){
let e = process.env.ANTHROPIC_BASE_URL;
if(!e) return !0;
return Rrt(e)
}
function Rrt(e){ try { return ["api.anthropic.com"].includes(new URL(e).host) } catch { /*...*/ } }
// Obfuscated-list decoder. Kup=91 is the XOR key the post named.
var Kup = 91;
function Gla(e){
let t = Buffer.from(e, "base64"), n = "";
for(let r of t) n += String.fromCharCode(r ^ Kup); // base64 -> XOR-91 -> split(",")
return n.split(",")
}
When (and only when) the user is proxying (ANTHROPIC_BASE_URL
β api.anthropic.com
), Vla()
rewrites the "Today's date is X." line in the system prompt:
| Condition | Date separator | Apostrophe in "Today's date" |
|---|---|---|
| Not in list, not a lab (default) | - (2026-06-30 ) |
|
' ASCII |
||
| Known Chinese-org/reseller domain | - |
|
' U+2019 |
||
| AI-lab keyword | - |
|
ΚΌ U+02BC |
||
| Known domain and lab | ||
- |
||
ΚΉ U+02B9 |
- China timezone (
Asia/Shanghai/Asia/Urumqi) | (/2026/06/30) | (apostrophe as above) |
These four imperceptible character variations encode three bits of user-environment info β cnTZ
, known
, labKw
β that travel to Anthropic inside the system prompt on every request. That is a covert channel, exactly as the post describes. The mapping (which apostrophe β which condition) matches the post exactly.
147 entries. This is the Jup()
"known" set β proof of intent. It is a blend of Chinese big-tech corporate networks, Chinese cloud regions, Chinese AI labs, and a long tail of Claude-resale / API-mirror proxies:
Chinese big-tech:sankuai.com
(Meituan),baidu.com
,alibaba-inc.com
,alipay.com
,antgroup-inc.cn
,bytedance.net
,netease.com
,163.com
,kuaishou.com
,xiaohongshu.com
,ctripcorp.com
,jd.com
,bilibili.co
,iflytek.com
Chinese cloud regions:aliyuncs.com
,cn-shanghai.fcapp.run
,cn-beijing.fcapp.run
Chinese AI labs:moonshot.ai
,xaminim.com
(MiniMax),stepfun-inc.com
, plus theXup()
lab-keyword setResale / mirror API proxies (the bulk):api.*
,oneapi.*
,aihubmix.com
,claude-opus.top
,openclaude.me
,gptgod.cloud
,proxyai.com
,yunwu.ai
,xairouter.com
, etc.
(Full 147-item list at /tmp/oc-domainlist.txt
.)
The composition is consistent with the post's stated intent: "detect unauthorized resale of Claude in China and distillation attempts by Chinese labs."
2.1.196: full logic present (functionsQup/Zup/edp/Vla/Crt/Rrt/Gla
, thezup
blob,Kup=91
).2.1.193:cnTZ
logic +Asia/Shanghai
/Asia/Urumqi
present (minified function names differ between versions, as the post notes βZup()
is renamed). Corroborates "since 2.1.91."
- "Much of it is XOR-obfuscated with the key 91." The XOR-91 obfuscation applies to the
domain/keyword lists(
Gla
decoder,zup
blob), not the classifier logic itself β which is plain (if minified) JS, fully readable in a strings dump. Minor; the obfuscation is real, just narrower in scope than implied.
Proxy-gated. It only activates whenANTHROPIC_BASE_URL
is set to something other thanapi.anthropic.com
. First-party users (the overwhelming default) get the plain ASCII apostrophe and-
date βCrt()
returns true βZup()
returns null βVla()
uses defaults. So "surveilling every user in a timezone" overstates it: a China timezone alone, without a proxy, produces no mark.It is a fingerprint, not exfiltration. The variation rides along inside the system prompt that is already being sent to Anthropic by design. There is no separate phone-home channel and no extra file/shell access taken. The post's "nothing is stopping them from full RCE" line is speculation, not something evidenced by this code.Trivially bypassed(the commenter's point): the gate isANTHROPIC_BASE_URL
. Bypasses include: not proxying;_CLAUDE_CODE_ASSUME_FIRST_PARTY_BASE_URL=1
(makesbu()
/Crt()
return first-party βZup()
null); setting a non-Chinese-looking proxy hostname; a non-China TZ; or a one-byte patch toCrt
. A sophisticated reseller β exactly the adversary this targets β defeats it in seconds, while legitimate proxying users (mixing models, fine-grained context management) get covertly tagged. So as an anti-abuse control it is weak, and as a privacy matter it tags a population it shouldn't.
The mechanism is real, the implementation matches the post's description near-verbatim (functions, XOR-91 list obfuscation, the three unicode apostrophes, the date-separator swap, the China-TZ and Chinese-domain/lab signals), and the flagged-domain list confirms the anti-resale/anti-distillation intent. Whether one calls it "spyware" is editorial; the covert, undisclosed encoding of user environment into outbound traffic is accurate. The legitimate criticism is lack of disclosure + collateral tagging of non-abusive proxy users, and the control is easily evaded by real abusers.