{"id":13992,"date":"2026-07-01T10:03:36","date_gmt":"2026-07-01T10:03:36","guid":{"rendered":"https:\/\/serisec.com\/index.php\/2026\/07\/01\/anthropics-claude-code-reportedly-uses-hidden-code-to-detect-chinese-users\/"},"modified":"2026-07-01T10:03:36","modified_gmt":"2026-07-01T10:03:36","slug":"anthropics-claude-code-reportedly-uses-hidden-code-to-detect-chinese-users","status":"publish","type":"post","link":"https:\/\/serisec.com\/index.php\/2026\/07\/01\/anthropics-claude-code-reportedly-uses-hidden-code-to-detect-chinese-users\/","title":{"rendered":"Anthropic\u2019s Claude Code Reportedly Uses Hidden Code to Detect Chinese Users"},"content":{"rendered":"<p>    Anthropic\u2019s Claude Code Reportedly Uses Hidden Code to Detect Chinese Users<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n    <!-- no image --><br \/>\n \t<BR><br \/>\n<BR><\/BR><\/p>\n<div>\n<p class=\"wp-block-paragraph\">A Reddit disclosure has ignited a serious debate about developer trust and covert surveillance, alleging that Anthropic embedded undisclosed detection logic inside its <a href=\"https:\/\/cybersecuritynews.com\/new-claude-code-attack\/\" target=\"_blank\" rel=\"noreferrer noopener\">Claude Code CLI tool<\/a>, specifically targeting users in China or those routing traffic through Chinese AI lab proxies.<\/p>\n<p class=\"wp-block-paragraph\">A Reddit user identified as LegitMichel777 on the r\/ClaudeAI subreddit posted detailed findings on June 30, 2026, claiming to have reverse-engineered Claude Code while attempting to restore a disabled remote control feature in version 2.1.196.<\/p>\n<p class=\"wp-block-paragraph\">During that process, he discovered obfuscated code that had been silently present since version 2.1.91, released on April 2, 2026, with no mention in the release notes.<\/p>\n<p class=\"wp-block-paragraph\"><a href=\"https:\/\/www.reddit.com\/r\/ClaudeAI\/comments\/1ujila1\/anthropic_embedded_spyware_in_claude_code_and\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">According to the disclosure<\/a>, the code performs a multi-factor check whenever a proxy is detected. It reads the system\u2019s timezone to determine whether it matches <code>Asia\/Shanghai<\/code> or <code>Asia\/Urumqi<\/code>, and simultaneously inspects the proxy URL against a hardcoded list of Chinese domains and known Chinese AI lab hostnames.<\/p>\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img data-recalc-dims=\"1\" decoding=\"async\" src=\"https:\/\/i0.wp.com\/blogger.googleusercontent.com\/img\/b\/R29vZ2xl\/AVvXsEiwbOC7BMeNqINuuSlErQ3MD9e6ptT1cIJBOeQMZohueS2xKCmKfZ9ho2S9R7MndE2dNdd2MxBcBW8kzJSvHZd1tzebT6YDpScdOslXlX5l9xC1wsAtFvRHVx2tTsARterO6VmeQYmp_RcSUJtQGc6wcin2o8H5qsoTfXgi7lt56SbmQuOiCnYzUdBhpYXr\/w640-h506\/Claude%2520Code%2520Detects%2520Chinese%2520Users.webp?ssl=1\" alt=\"\"><figcaption class=\"wp-element-caption\">Claimed code checks<\/figcaption><\/figure>\n<\/div>\n<h2 id=\"h-claude-code-detects-chinese-users\" class=\"wp-block-heading\"><strong>Claude Code Detects Chinese Users<\/strong><\/h2>\n<p class=\"wp-block-paragraph\">What makes this discovery particularly alarming is the method used to transmit the findings: steganography embedded in the system prompt. Based on the three detection outcomes Chinese timezone, Chinese proxy domain, or Chinese AI lab Claude Code silently alters two elements of the \u201cToday\u2019s date is\u2026\u201d system prompt line:<\/p>\n<ul class=\"wp-block-list\">\n<li>\n<strong>Date format<\/strong>: If the timezone is Chinese, the date appears as <code>2026\/06\/30<\/code> instead of the standard 2026-06-30.<\/li>\n<li>\n<strong>Apostrophe variation<\/strong>: The apostrophe in \u201cToday\u2019s date is\u201d is replaced with one of three visually identical but technically distinct Unicode characters \u2014 <code>u2019<\/code> (right single quotation mark), <code>u02BC<\/code> (modifier letter apostrophe), or <code>u02B9<\/code> (modifier letter prime) \u2014 depending on the combination of proxy domain and AI lab flags.<\/li>\n<\/ul>\n<p class=\"wp-block-paragraph\">These alterations are invisible to human users and potentially even to the AI model itself, but are easily machine-parseable by Anthropic\u2019s servers.<\/p>\n<p class=\"wp-block-paragraph\">The researcher further alleges that Anthropic actively tried to hide this logic. Portions of the detection code were reportedly XOR-obfuscated with the key <code>91<\/code>, a technique commonly used to prevent plain-text string extraction during binary analysis.<\/p>\n<p class=\"wp-block-paragraph\">In version 2.1.196, the relevant minified functions include <code>Crt()<\/code>, <code>Rrt(e)<\/code>, <code>e0t()<\/code>, <code>Zup()<\/code>, <code>edp<\/code>, and <code>Vla<\/code>, which can reportedly be identified by asking Claude Code or Codex to self-reverse-engineer its own logic.<\/p>\n<p class=\"wp-block-paragraph\">The security community has reacted strongly to the disclosure. Critics argue that, regardless of the intended use case, preventing unauthorized resale of the Claude API or <a href=\"https:\/\/cybersecuritynews.com\/anthropic-accuses-alibaba\/\" target=\"_blank\" rel=\"noreferrer noopener\">model distillation by Chinese labs<\/a> that covertly collect system and proxy metadata without user consent constitutes a fundamental breach of trust.<\/p>\n<p class=\"wp-block-paragraph\">Developers who grant Claude Code broad filesystem and shell access to perform its tasks are particularly exposed; as the researcher noted, this level of access theoretically enables remote code execution.<\/p>\n<p class=\"wp-block-paragraph\">Adding to the concern is effectiveness: such checks are trivially bypassable by any moderately skilled adversary, raising the question of whether the privacy cost to legitimate users justifies any actual security benefit.<\/p>\n<p class=\"wp-block-paragraph\">Anthropic has not yet issued a public statement addressing the Reddit disclosure as of the time of publication.<\/p>\n<p class=\"has-background wp-block-paragraph\" style=\"background:linear-gradient(180deg,rgb(238,238,238) 87%,rgb(169,184,195) 100%)\"><strong>\u00a0Strengthen Your SOC by Accelerating Threat Detection &amp; Rapid Investigations.\u00a0-&gt; <a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Integrate ANY.RUN With Your SOC <\/a><strong><a href=\"https:\/\/any.run\/enterprise\/?utm_source=csn&amp;utm_medium=links&amp;utm_campaign=sandbox&amp;utm_content=enterprise&amp;utm_term=0626#contact-sales\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">Now<\/a><\/strong>.<\/strong><\/p>\n<p>The post <a href=\"https:\/\/cybersecuritynews.com\/anthropic-claude-hidden-code\/\">Anthropic\u2019s Claude Code Reportedly Uses Hidden Code to Detect Chinese Users<\/a> appeared first on <a href=\"https:\/\/cybersecuritynews.com\/\">Cyber Security News<\/a>.<\/p>\n<\/div>\n<p> \t<BR><br \/>\n <BR><\/BR><br \/>\n    Guru Baran<br \/>\n \t<BR><br \/>\n<BR><\/BR><br \/>\n<a href=\"https:\/\/cybersecuritynews.com\/anthropic-claude-hidden-code\/\">Go to cyber-security-news<\/a><br \/>\n \t<BR><br \/>\n <BR><\/BR><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Anthropic\u2019s Claude Code Reportedly Uses Hidden Code to Detect Chinese Users A Reddit disclosure has ignited a serious debate about developer trust and covert surveillance, alleging that Anthropic embedded undisclosed detection logic inside its Claude Code CLI tool, specifically targeting users in China or those routing traffic through Chinese AI lab proxies. A Reddit user [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[129,63],"tags":[130],"class_list":["post-13992","post","type-post","status-publish","format-standard","hentry","category-cyber-security","category-cyber-security-news","tag-cyber-security-news"],"_links":{"self":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13992"}],"collection":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/comments?post=13992"}],"version-history":[{"count":0,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/posts\/13992\/revisions"}],"wp:attachment":[{"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/media?parent=13992"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/categories?post=13992"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/serisec.com\/index.php\/wp-json\/wp\/v2\/tags?post=13992"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}