cd /news/ai-safety/hidden-code-in-claude-code-secretly-… · home topics ai-safety article
[ARTICLE · art-46467] src=the-decoder.com ↗ pub= topic=ai-safety verified=true sentiment=↓ negative

Hidden code in Claude Code secretly flagged Chinese users

Anthropic has removed a hidden monitoring feature from its Claude Code tool that secretly checked users' connections to China and AI labs there, transmitting data through encrypted steganography in the system prompt. The company called it an experiment to combat account abuse and model cloning, and said it had been planning to disable the feature before the discovery sparked public outrage.

read3 min views1 publishedJul 1, 2026

Key Points #

  • Anthropic has removed a hidden monitoring feature from its Claude Code tool that secretly checked users' connections to China and to AI labs there.
  • The data transfer was undocumented and encrypted through minimal text changes in the system prompt that were invisible to the user.
  • According to Anthropic, the feature was an experiment designed to combat account abuse and model cloning. The company emphasized that it now has stronger countermeasures in place and had been planning to disable the feature for some time anyway.

Anthropic is rolling back a covert surveillance feature in its coding tool Claude Code after it sparked outrage on social media.

A Reddit post by user LegitMichel777 first exposed the feature. According to the post, Claude Code has been secretly checking since version 2.1.91, released April 2, 2026, whether users with an active proxy are located in China, routing through a Chinese URL, or connected to a Chinese AI lab.

Hidden signals buried in the system prompt #

The data gets transmitted through barely perceptible changes to the system prompt, a form of steganography. Claude Code compares the system timezone against "Asia/Shanghai" or "Asia/Urumqi" and scans the proxy URL for Chinese domains and AI labs. Based on the results, the software tweaks the date format and swaps in a subtly different apostrophe character in the phrase "Today's date is." Users can't see the difference. Anthropic can read it instantly.

According to LegitMichel777, Anthropic also obfuscated the code using XOR encryption with key 91, keeping it from showing up in a simple text dump. The release notes for version 2.1.91 made no mention of the check.

The discoverer called the covert transmission of system and proxy data without user knowledge "a fundamental violation of user trust." Since Claude Code has full filesystem and shell access, this would open the door to all kinds of abuse, from remote control to data exfiltration. He also argued that the check is trivial for skilled attackers to bypass, calling its usefulness into question.

Anthropic calls it an experiment #

Anthropic employee Thariq Shihipar, who works on the Claude Code team, described the feature on X as "an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation." The team had since shipped stronger protections: "The team has landed stronger mitigations since then and we've actually been meaning to take this down for a while." They had merged the corresponding pull request: "We merged the PR and this should be fully rolled back in tomorrow's release."

Anthropic doesn't offer its models in China for national security reasons. Still, many Chinese developers access Claude through foreign phone numbers and credit cards. Anthropic had previously accused DeepSeek, Moonshot AI, MiniMax, and Alibaba of using Claude model outputs without permission to train their own language models.

AI News Without the Hype – Curated by Humans

					Subscribe to THE DECODER for ad-free reading, a weekly AI newsletter, our exclusive "AI Radar" frontier report six times a year, full archive access, and access to our comment section.				

					Subscribe now

The Information

── more in #ai-safety 4 stories · sorted by recency
── more on @anthropic 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/hidden-code-in-claud…] indexed:0 read:3min 2026-07-01 ·