ANTHROPIC_BASE_URL ≠ api.anthropic.com), it quietly rewrites the Today's date is... line of its system prompt. By switching the date separator and swapping the apostrophe for visually identical but different Unicode characters, it encodes whether you are in a China timezone and whether your endpoint matches China-linked domains or AI-lab keywords. Anthropic removed the code in version 2.1.197. This article strictly separates Incident A (Claude Desktop silent browser injection) from Incident B (Claude Code prompt steganography), covers the Unicode mapping table, anti-distillation motive, HN debate, six-step protection, and how to respond to AI vendor overreach. See also our AI coding assistant comparison and MCP protocol guide.What Happened With Claude Code Steganography? Two Separate Incidents You Must Not Conflate
Bottom line first: this controversy is actually two distinct stories stacked together. Conflating them will get you called out instantly by English-language technical readers on HN, Reddit, and in security circles—and it hurts E-E-A-T. Always keep them separate:
| Dimension | Incident A: Silent Browser Injection | Incident B: System Prompt Steganography |
|---|---|---|
| Product | Claude Desktop (macOS client) | Claude Code (CLI coding tool) |
| Discloser | Alexander Hanff (privacy consultant, The Register contributor) | Developer reverse-engineered binary, published on thereallo.dev, amplified via Reddit → Hacker News |
| Timeline | April 2026 (~4/18 onward) | June 30, 2026 |
| Core behavior | Silently writes Native Messaging manifest com.anthropic.claude_browser_extension.json into Chrome/Edge/Brave/Arc/Vivaldi/Opera/Chromium, pre-authorizing 3 extension IDs to call sandbox-external chrome-native-host; creates directories even for browsers not installed; file regenerates after deletion on restart | When ANTHROPIC_BASE_URL ≠ api.anthropic.com (proxy/gateway), rewrites the Today's date is... line via steganography |
| Labels applied | "spyware" / "backdoor" | "prompt steganography" / "covert channel" |
| Trigger | Installing/launching Claude Desktop | Only when a non-official Base URL is set; not every conversation |
| Anthropic response | No formal public response; later versions added an authorization toggle, but underlying permission model not fully removed | Acknowledged code existed; removed in 2.1.197 on 7/1, not mentioned in changelog |
Incident A (per Hanff's disclosure and independent reproduction): After installing Claude Desktop, it silently writes a Native Messaging config into multiple browser directories, pre-authorizing extensions to call a local binary that runs outside the browser sandbox at full user privilege. It even creates directories for browsers you have not installed. Delete the file manually and Claude Desktop recreates it on restart. Independent consultant Noah Kenney (Digital 520) confirmed Hanff's technical claims are reproducible; Antiy Labs published a dedicated risk analysis.
Incident B (per thereallo.dev reverse engineering): A developer found prompt steganography in Claude Code—the focus of this post. The HN thread hit the front page within hours: 350+ points, 100+ comments, with the community split between "reasonable anti-distillation defense" and "malware-adjacent behavior for a dev tool."
Conflating two products: Claude Desktop browser injection and Claude Code prompt steganography are completely different mechanisms with different triggers.
Assuming official endpoints are affected: Incident B only triggers when ANTHROPIC_BASE_URL points somewhere other than api.anthropic.com.
Treating intent as proven fact: Anti-distillation is the community consensus, but Anthropic has not publicly confirmed it. Use "alleged," "per reverse engineering," "reported."
Ignoring Incident A persistence: Native Messaging manifests regenerate after deletion when Claude Desktop restarts—ongoing monitoring required.
Underestimating desktop agent privileges: Anthropic's own numbers put Claude for Chrome prompt-injection success at 23.6% (unmitigated) / 11.2% (mitigated)—a real risk when combined with high-privilege channels.
How Does the Claude Code Fingerprint Work? Unicode Apostrophe Mapping Explained
Key precondition: this only triggers when ANTHROPIC_BASE_URL points somewhere other than the official endpoint (proxy, gateway, reseller, OpenAI-compatible layer). Hit api.anthropic.com and nothing is altered.
When triggered, two signals hide inside the innocent-looking Today's date is ... line:
| Detected condition | Date format | Apostrophe | Unicode |
|---|---|---|---|
| Default (no match) | 2026-06-30 | ' ASCII apostrophe | U+0027 |
| China-linked org/reseller domain | 2026-06-30 | ' right single quote | U+2019 |
| AI-lab keyword (deepseek, moonshot, zhipu, minimax, baichuan, stepfun, 01ai…) | 2026-06-30 | ʼ modifier letter apostrophe | U+02BC |
| Both domain and lab matched | 2026-06-30 | ʹ modifier letter prime | U+02B9 |
| + China timezone (Asia/Shanghai / Asia/Urumqi) | 2026/06/30 | (same rules above) | — |
Domain and keyword lists are lightly obfuscated with base64 + XOR (key 91)—roughly 147 domain patterns. Keywords include deepseek, moonshot, zhipu, minimax, baichuan, stepfun, 01ai, and others. The reverse engineer verified versions 2.1.193 / 2.1.195 / 2.1.196 all contained the logic.
echo $ANTHROPIC_BASE_URL timedatectl | grep "Time zone" find ~/Library/Application\ Support -name "com.anthropic.claude_browser_extension.json" 2>/dev/null
To a human, the prompt looks completely ordinary. To Anthropic's backend, a quick scan of one apostrophe's Unicode code point reveals: "This user is behind a VPN but is actually in a China timezone—possibly a Chinese AI lab." That is a textbook covert channel.
The timezone + Unicode apostrophe details are fully verified, sourced from the thereallo.dev reverse engineering report and consistent with public community discussion.
Why Did Anthropic Do This? Is Claude Code Actually Spyware?
The measured community consensus: this was almost certainly anti-distillation and anti-unauthorized-reselling. Anthropic, OpenAI, and Google have all publicly worried about competitors harvesting API outputs to train smaller models. China-linked resellers, proxies, and labs are prime suspects—hence the classifier.
The intent is defensible; the method is not. Turning a classification signal into invisible punctuation, obfuscating it in the binary, and shipping it on every request—inside a developer tool that lives and dies on trust—crosses a line. On Hacker News the thread split hard:
| Camp | View |
|---|---|
| Anti-distillation camp | "Reasonable anti-distillation defense"—protecting the model from competitor output harvesting |
| Developer trust camp | "Malware-adjacent for a dev tool"—undisclosed, obfuscated, buried in punctuation is unacceptable |
"Spyware" is a loaded word. More precisely:
Incident A is closer to unauthorized tampering with third-party software plus a dormant, pre-positioned attack surface—even if unexploited, it pre-installs a high-privilege channel outside the browser sandbox.
Incident B is closer to undisclosed telemetry / covert user classification—not classic data-stealing malware, but lacking informed consent.
Whatever label you use, the core issue is the same: no informed consent, deliberately hidden. The mainstream read is that Anthropic aimed to detect unauthorized reselling and model distillation, not to surveil individuals; the controversy is about the method (covert, obfuscated, undisclosed), not the goal.
Compliance note: Use "alleged," "per reverse engineering," and "reported" throughout. Do not state intent as proven fact. Evaluate purpose (anti-distillation) and method (steganography) separately.
How to Check and Protect Yourself: Six-Step Guide for Claude Code Users
Whether you route Claude Code through a proxy or run Claude Desktop on macOS, these steps are reproducible and auditable:
Check ANTHROPIC_BASE_URL: Run echo $ANTHROPIC_BASE_URL. If empty or pointing to api.anthropic.com, Incident B does not trigger. Third-party gateways/resellers are in scope.
Upgrade Claude Code: Ensure CLI version ≥ 2.1.197 (released July 1, 2026, steganography removed). Run claude --version to verify.
Check timezone environment: Run timedatectl or date +%Z. If system timezone is Asia/Shanghai or Asia/Urumqi plus a proxy, the date separator signal was historically applied as well.
Audit Native Messaging manifests (Incident A): Look under ~/Library/Application Support/<browser>/NativeMessagingHosts/ for com.anthropic.claude_browser_extension.json. Delete as needed—Claude Desktop may recreate on restart.
Review Claude Desktop authorization toggles: Later versions added a toggle, but per security community analysis the underlying permission model was not fully removed. Enterprise environments should evaluate continued production use of desktop agents.
Isolate in enterprise/sensitive environments: Treat every desktop AI agent as a high-privilege program—least privilege, explicit authorization, auditable behavior. See our help center for agent hosting options.
claude --version find ~/Library/Application\ Support -path "*/NativeMessagingHosts/com.anthropic.claude_browser_extension.json" grep -r "ANTHROPIC_BASE_URL" ~/.zshrc ~/.bashrc ~/.zprofile 2>/dev/null
What This Means: AI Vendor Overreach and How We Should Respond
The real lesson is not "an apostrophe." It is that when model capability races ahead while security boundaries, consent, and auditability lag behind, vendors will keep crossing the trust boundary between users (and other software makers) in the name of "UX" or "abuse prevention."
147 rules: Domain/keyword lists obfuscated via base64 + XOR(91); confirmed in versions 2.1.193–2.1.196 (thereallo.dev).
HN traction: Thread hit front page within hours—350+ points, 100+ comments, community deeply split (Hacker News, 2026-06-30).
Claude for Chrome injection rates: Per Anthropic's own disclosure—23.6% unmitigated, 11.2% mitigated—real risk when combined with Incident A's high-privilege channel.
| Principle | Action |
|---|---|
| Default to distrust; demand evidence | Reproducible, auditable, and switchable-off is the bar for trust |
| Disclosure over concealment | Fight distillation in the open—document it, ship a toggle—not buried in punctuation |
| Least privilege + isolation | Treat every desktop agent as high-privilege |
| Vote with your feet + regulation | GDPR-style law and market choice are the ultimate check on "technology without limits" |
Sources: The Register (Claude Desktop permission changes, 2026-04); Malwarebytes / gHacks / YOOTA (Native Messaging coverage); thereallo.dev (original Claude Code reverse engineering); Tech Startups / TMC Insight / Developers Digest / TechTimes (2.1.197 fix); Antiy Labs risk analysis.
Consider the alternatives: running Claude Desktop bare on a personal Mac with multi-browser Native Messaging leaves high-privilege channels and injection surfaces hard to audit; relying entirely on third-party Claude resellers exposes you to undisclosed fingerprinting long-term; virtualized macOS for agents violates Apple's EULA and breaks Xcode signing. For production AI agent environments needing iOS CI/CD, full root, and 24/7 stability, KVMNODE dedicated Mac Mini M4 cloud rental is usually the better path: 100% physical hardware, open sudo, flexible daily/weekly/monthly terms, with Claude Code running in an isolated, auditable host. Technology can be neutral; a company cannot. The more capable the model, the more the vendor must constrain itself—and that should not be a secret you only find by reverse-engineering a binary.