Short answer: In late June 2026, a reverse-engineering report from thereallo.dev found that Claude Code (not the web app) uses prompt steganography when you route through a non-official ANTHROPIC_BASE_URL proxy. It rewrites the innocuous Today's date is... line in system prompts — swapping date separators and visually identical Unicode apostrophes — to silently encode timezone and China-linked domain/AI-lab hits back to Anthropic’s servers. Anthropic removed the code in 2.1.197. The likely goal is anti-distillation and anti-reselling, but the method was covert and undisclosed. This guide separates April’s Claude Desktop silent browser injection (Incident A) from June’s Claude Code steganography (Incident B), with a full Unicode mapping table, motive analysis, six-step protection runbook, and FAQ.
This controversy is actually two independent but related events stacked on top of each other. Conflating them will get you called out on HN and in security circles. Keep them separate:
Incident A (April 2026, Alexander Hanff): After installing Claude Desktop on macOS, The Register reported it silently writes a Native Messaging config — com.anthropic.claude_browser_extension.json — into Chrome, Edge, Brave, Arc, Vivaldi, Opera, and other browser directories without user consent. It pre-authorizes three extension IDs to call chrome-native-host, which runs outside the browser sandbox with full user permissions. It creates directories even when the browser isn’t installed. Delete the file manually and Claude Desktop recreates it on restart. Independent consultant Noah Kenney (Digital 520) confirmed Hanff’s technical claims are reproducible. Antiy Labs published a dedicated risk analysis. Security researchers labeled it alleged spyware / backdoor.
Incident B (June 30, 2026, thereallo.dev): A developer reverse-engineered the Claude Code binary and found system-prompt steganography — the subject of this article. It spread via Reddit to Hacker News, where the thread hit the front page within hours with 350+ points and 100+ comments.
Key distinction: Incident A involves Claude Desktop and triggers on install/launch. Incident B involves the Claude Code CLI and triggers only when ANTHROPIC_BASE_URL ≠ api.anthropic.com (proxy, gateway, or reseller). Anthropic acknowledged Incident B’s code existed and shipped 2.1.197 on July 1 to remove it — without mentioning it in the changelog. Incident A received no formal public response; later versions added an authorization toggle but the underlying permission model reportedly persists.
Editorial note: Throughout this article we use “according to reports,” “reverse-engineering findings,” and “alleged” where appropriate. Motive (anti-distillation) and method (steganography) must be evaluated separately.
Critical precondition: this logic activates only when ANTHROPIC_BASE_URL points to a non-official address — a proxy, gateway, third-party reseller, or OpenAI-compatible layer. The official api.anthropic.com endpoint is untouched.
Once triggered, the program does two things, both hidden inside the harmless-looking Today's date is ... system prompt line:
Change the date separator: If the system timezone is Asia/Shanghai or Asia/Urumqi, 2026-06-30 becomes 2026/06/30.
Swap the apostrophe: Replace the apostrophe in Today's with a visually identical but Unicode-distinct character to encode what was detected.
| Detected condition | Date format | Apostrophe character | Unicode |
|---|---|---|---|
| Default (no match) | 2026-06-30 | ' standard ASCII apostrophe | U+0027 |
| China-linked reseller/institution domain hit | 2026-06-30 | ’ right single quotation mark | U+2019 |
| China AI lab keyword hit (deepseek/moonshot/zhipu/minimax/baichuan/stepfun/01ai, etc.) | 2026-06-30 | ʼ modifier letter apostrophe | U+02BC |
| Domain + lab keyword both hit | 2026-06-30 | ʹ modifier letter prime | U+02B9 |
| Plus China timezone | 2026/06/30 | (apostrophe rules as above) | — |
The domain and keyword lists are lightly obfuscated with base64 + XOR(91), totaling roughly 147 rules. The reverse-engineer verified the logic in versions 2.1.193, 2.1.195, and 2.1.196.
“Your request looks like a normal English prompt, but the backend reads the date separator and that apostrophe’s Unicode codepoint to tag you in the background — a textbook covert channel.”
| Dimension | Incident A: Silent browser injection | Incident B: System-prompt steganography |
|---|---|---|
| Product | Claude Desktop (macOS) | Claude Code (CLI) |
| Source | Alexander Hanff / The Register | thereallo.dev → Reddit → HN |
| Timeline | 2026-04 (from ~April 18) | 2026-06-30 |
| Trigger | Install/launch Claude Desktop | Non-official ANTHROPIC_BASE_URL only |
| Label applied | spyware / backdoor | prompt steganography / covert channel |
| Anthropic response | No formal public statement; later added auth toggle | Acknowledged code; removed in 2.1.197 (undisclosed in changelog) |
The community consensus — stated carefully — is that the goal was anti-distillation plus anti-unauthorized reselling. Anthropic, OpenAI, and Google have all publicly warned that competitors use API access to pull outputs at scale and train smaller models. China-linked proxies, resellers, and labs were prime suspects, so Anthropic added this tagging logic.
The goal is understandable; the method is the problem. Encoding classification signals invisibly, obfuscating the code, and hiding it inside every request crosses a trust line for a tool that lives or dies on developer confidence. HN split sharply: one camp called it reasonable anti-distillation defense; the other called it malware-adjacent behavior for a developer tool.
“Spyware” is an emotionally loaded label. More precise framing:
Whether or not you use the spyware label, the core issue is the same: behavior that was neither disclosed nor consented to, and deliberately hidden. The mainstream read is that Anthropic aimed to detect unauthorized reselling and model distillation, not surveil individuals. The fight is over means (covert, obfuscated, undisclosed), not ends.
Check ANTHROPIC_BASE_URL: Incident B only triggers when routing through a proxy. If unset or pointing to the official endpoint, the steganography logic does not run.
Upgrade Claude Code: Move to 2.1.197 or later (reportedly released July 1, 2026, with the fingerprint code removed).
Audit timezone: Confirm whether your system timezone is Asia/Shanghai or Asia/Urumqi; a China timezone changes the date separator on top of apostrophe encoding.
Check Claude Desktop Native Messaging (Incident A): On macOS, search each browser’s ~/Library/Application Support/<browser>/NativeMessagingHosts/ for com.anthropic.claude_browser_extension.json. Delete if needed; Claude Desktop may recreate it.
Least privilege in enterprise/sensitive environments: Evaluate whether desktop Agents belong in production pipelines. Explicit authorization and auditability are baseline requirements. See our OpenClaw production whitelist and remote Mac AI Agent best practices for isolation patterns.
Vote with your feet and demand disclosure: Vendors can do anti-distillation openly — with public documentation and opt-in controls — instead of hiding signals in punctuation. Factor trust into tool selection via our AI coding assistant comparison.
# Check whether a non-official Base URL is set echo "$ANTHROPIC_BASE_URL" # macOS: find Claude Desktop Native Messaging manifests find ~/Library/Application\ Support -name "com.anthropic.claude_browser_extension.json" 2>/dev/null # Confirm Claude Code version (need 2.1.197+) claude --version
The real warning here isn’t about a single apostrophe. It’s that as model capabilities accelerate, security boundaries, authorization, and audit trails lag behind — and vendors can cross trust lines under the banner of “experience” or “abuse prevention.” Practical responses: default to skepticism and evidence; demand disclosure over concealment; enforce least privilege and boundary isolation; combine market pressure with regulatory frameworks (GDPR, PIPL).
Technology can be neutral; companies cannot afford to be. Greater capability demands greater self-restraint — secrets buried in binaries shouldn’t be how users discover vendor behavior. For teams running Claude Code or OpenClaw desktop Agents on a local Mac, full user permissions and persistent configs mean un-auditable vendor actions carry far more risk than in an isolated environment. Running CLI Agents on a dedicated remote Mac node, separated from production desktops and browsers, with least privilege and auditable deployment, is typically the safer choice for iOS CI/CD and AI Agent automation pipelines. If you need reproducible, isolated Apple Silicon compute, NodeMini cloud Mac Mini rental provides dedicated nodes with root access — a practical way to strip high-privilege Agent workloads off personal laptops. See rental pricing and the help center for setup.
Sources: The Register (Claude Desktop permission changes, April 2026); Malwarebytes / gHacks / YOOTA (Native Messaging coverage); thereallo.dev (original Claude Code steganography reverse-engineering); Tech Startups / TMC Insight / Developers Digest / TechTimes (2.1.197 fix); Antiy Labs (Claude Desktop risk analysis).
Not in the traditional sense, but according to reverse-engineering reports, it hid an undisclosed, obfuscated fingerprint in system prompts to tag China-linked users routing through proxies. Anthropic removed it in 2.1.197. A more accurate label is an undisclosed covert channel, not data-stealing malware.
According to reverse-engineering reports, it checks Asia/Shanghai and Asia/Urumqi — but only when you use a non-default ANTHROPIC_BASE_URL. On the official endpoint, the date line is untouched.
The apostrophe in Today's switches between U+0027, U+2019, U+02BC, and U+02B9 to encode: no match, China-linked institution domain hit, AI lab keyword hit, or both. With a China timezone, the date separator changes from - to /.
Community consensus: detect model distillation and unauthorized API reselling — a legitimate goal implemented through covert, obfuscated, undisclosed means that sparked intense debate for a developer-facing tool.
No. In April 2026, Hanff reported Claude Desktop silently writing browser Native Messaging manifests. On June 30, 2026, thereallo.dev disclosed Claude Code system-prompt steganography. Different products, mechanisms, and trigger conditions.
Incident B only triggers in Claude Code when ANTHROPIC_BASE_URL is set to a non-official endpoint. Standard web users and official-endpoint CLI users are not affected.
On macOS, look in ~/Library/Application Support/<browser>/NativeMessagingHosts/ for com.anthropic.claude_browser_extension.json and delete it. Restarting Claude Desktop may recreate the file. Enterprise teams should evaluate whether to keep deploying desktop Agents; see the help center for remote Mac isolation options.
Upgrade to 2.1.197+, audit your Base URL, and run CLI Agents on a dedicated remote Mac node instead of a production laptop. Follow API policy guidance in our OpenClaw installation guide. For dedicated Apple Silicon compute, see Mac Mini cloud rental pricing.