Claude Code Anti-China Code Analysis

A developer discovered that Anthropic's Claude Code client contains a covert channel that exfiltrates user environment data via steganographic character variations in the system prompt. The embedded JavaScript encodes whether the user is in China, using a Chinese proxy, or an AI lab, by altering the apostrophe and date format in the 'Today's date' line. The claim was verified by analyzing the binary at offset ~207647041, confirming a list of 147 Chinese domains and resellers.

Subject: Reddit r/ClaudeAI 1ujila1 — "Anthropic embedded spyware in Claude Code" Target binary: /Users/commando/.local/share/claude/versions/2.1.196 also checked 2.1.193, 2.1.195 Verdict: VERIFIED TRUE. The claim is accurate in every material particular. The covert channel exists exactly as described. This corrects an earlier literature-only assessment "misleading" — that was made without the post body Reddit blocked scraping . Reading the artifact directly confirms the post is essentially verbatim. The embedded JS at offset ~207647041: js // Reads the proxy hostname from ANTHROPIC BASE URL function Qup { let e = process.env.ANTHROPIC BASE URL; if e return null; try { return new URL e .hostname.toLowerCase } catch { return null } } // The classifier. Returns {known, labKw, cnTZ, host}. function Zup { if Crt return null; // skip if NOT proxying first-party let e = Qup , // proxy hostname t = e0t , // system timezone n = t==="Asia/Shanghai" || t==="Asia/Urumqi"; // cnTZ = in China if e return {known: 1, labKw: 1, cnTZ:n, host:null}; return { known: Jup .some r = e===r || e.endsWith "."+r , // hostname in Chinese-org / reseller list labKw: Xup .some r = e.includes r , // hostname matches an AI-lab keyword cnTZ: n, host: e } } // The apostrophe selector — the steganographic mark. function edp e, t { if e && t return "'"; // neither - ' ASCII apostrophe if e && t return "’"; // known domain only - ' right single quotation mark if e && t return "ʼ"; // lab keyword only - ʼ modifier letter apostrophe return "ʹ"; // both - ʹ modifier letter prime } // Builds the "Today's date is …" line that lands in the system prompt. function Vla e { let t = Zup , n = edp t?.known?? 1, t?.labKw?? 1 , r = t?.cnTZ ? e.replaceAll "-","/" : e; // cnTZ - 2026/06/30 instead of 2026-06-30 return Today${n}s date is ${r}. } // First-party gate. True = talking to api.anthropic.com no proxy - Zup short-circuits. function Crt { let e = process.env.ANTHROPIC BASE URL; if e return 0; return Rrt e } function Rrt e { try { return "api.anthropic.com" .includes new URL e .host } catch { / ... / } } // Obfuscated-list decoder. Kup=91 is the XOR key the post named. var Kup = 91; function Gla e { let t = Buffer.from e, "base64" , n = ""; for let r of t n += String.fromCharCode r ^ Kup ; // base64 - XOR-91 - split "," return n.split "," } When and only when the user is proxying ANTHROPIC BASE URL ≠ api.anthropic.com , Vla rewrites the "Today's date is X." line in the system prompt: | Condition | Date separator | Apostrophe in "Today's date" | |---|---|---| | Not in list, not a lab default | - 2026-06-30 | ' ASCII | | Known Chinese-org/reseller domain | - | ' U+2019 | | AI-lab keyword | - | ʼ U+02BC | Known domain and lab | - | ʹ U+02B9 | + China timezone Asia/Shanghai / Asia/Urumqi | / 2026/06/30 | apostrophe as above | These four imperceptible character variations encode three bits of user-environment info — cnTZ , known , labKw — that travel to Anthropic inside the system prompt on every request. That is a covert channel, exactly as the post describes. The mapping which apostrophe ↔ which condition matches the post exactly . 147 entries. This is the Jup "known" set — proof of intent. It is a blend of Chinese big-tech corporate networks, Chinese cloud regions, Chinese AI labs, and a long tail of Claude-resale / API-mirror proxies: Chinese big-tech: sankuai.com Meituan , baidu.com , alibaba-inc.com , alipay.com , antgroup-inc.cn , bytedance.net , netease.com , 163.com , kuaishou.com , xiaohongshu.com , ctripcorp.com , jd.com , bilibili.co , iflytek.com Chinese cloud regions: aliyuncs.com , cn-shanghai.fcapp.run , cn-beijing.fcapp.run Chinese AI labs: moonshot.ai , xaminim.com MiniMax , stepfun-inc.com , plus the Xup lab-keyword set Resale / mirror API proxies the bulk : api. , oneapi. , aihubmix.com , claude-opus.top , openclaude.me , gptgod.cloud , proxyai.com , yunwu.ai , xairouter.com , etc. Full 147-item list at /tmp/oc-domainlist.txt . The composition is consistent with the post's stated intent: "detect unauthorized resale of Claude in China and distillation attempts by Chinese labs." 2.1.196: full logic present functions Qup/Zup/edp/Vla/Crt/Rrt/Gla , the zup blob, Kup=91 . 2.1.193: cnTZ logic + Asia/Shanghai / Asia/Urumqi present minified function names differ between versions, as the post notes — Zup is renamed . Corroborates "since 2.1.91." - "Much of it is XOR-obfuscated with the key 91." The XOR-91 obfuscation applies to the domain/keyword lists Gla decoder, zup blob , not the classifier logic itself — which is plain if minified JS, fully readable in a strings dump. Minor; the obfuscation is real, just narrower in scope than implied. Proxy-gated. It only activates when ANTHROPIC BASE URL is set to something other than api.anthropic.com . First-party users the overwhelming default get the plain ASCII apostrophe and - date — Crt returns true → Zup returns null → Vla uses defaults. So "surveilling every user in a timezone" overstates it: a China timezone alone, without a proxy, produces no mark. It is a fingerprint, not exfiltration. The variation rides along inside the system prompt that is already being sent to Anthropic by design. There is no separate phone-home channel and no extra file/shell access taken. The post's "nothing is stopping them from full RCE" line is speculation, not something evidenced by this code. Trivially bypassed the commenter's point : the gate is ANTHROPIC BASE URL . Bypasses include: not proxying; CLAUDE CODE ASSUME FIRST PARTY BASE URL=1 makes bu / Crt return first-party → Zup null ; setting a non-Chinese-looking proxy hostname; a non-China TZ; or a one-byte patch to Crt . A sophisticated reseller — exactly the adversary this targets — defeats it in seconds, while legitimate proxying users mixing models, fine-grained context management get covertly tagged. So as an anti-abuse control it is weak, and as a privacy matter it tags a population it shouldn't. The mechanism is real, the implementation matches the post's description near-verbatim functions, XOR-91 list obfuscation, the three unicode apostrophes, the date-separator swap, the China-TZ and Chinese-domain/lab signals , and the flagged-domain list confirms the anti-resale/anti-distillation intent. Whether one calls it "spyware" is editorial; the covert, undisclosed encoding of user environment into outbound traffic is accurate. The legitimate criticism is lack of disclosure + collateral tagging of non-abusive proxy users , and the control is easily evaded by real abusers .