A Reddit disclosure has ignited a serious debate about developer trust and covert surveillance, alleging that Anthropic embedded undisclosed detection logic inside its Claude Code CLI tool, specifically targeting users in China or those routing traffic through Chinese AI lab proxies.
A Reddit user identified as LegitMichel777 on the r/ClaudeAI subreddit posted detailed findings on June 30, 2026, claiming to have reverse-engineered Claude Code while attempting to restore a disabled remote control feature in version 2.1.196.
During that process, he discovered obfuscated code that had been silently present since version 2.1.91, released on April 2, 2026, with no mention in the release notes.
According to the disclosure, the code performs a multi-factor check whenever a proxy is detected. It reads the system’s timezone to determine whether it matches Asia/Shanghai or Asia/Urumqi, and simultaneously inspects the proxy URL against a hardcoded list of Chinese domains and known Chinese AI lab hostnames.
Claude Code Detects Chinese Users
What makes this discovery particularly alarming is the method used to transmit the findings: steganography embedded in the system prompt. Based on the three detection outcomes Chinese timezone, Chinese proxy domain, or Chinese AI lab Claude Code silently alters two elements of the “Today’s date is…” system prompt line:
- Date format: If the timezone is Chinese, the date appears as
2026/06/30instead of the standard 2026-06-30. - Apostrophe variation: The apostrophe in “Today’s date is” is replaced with one of three visually identical but technically distinct Unicode characters —
u2019(right single quotation mark),u02BC(modifier letter apostrophe), oru02B9(modifier letter prime) — depending on the combination of proxy domain and AI lab flags.
These alterations are invisible to human users and potentially even to the AI model itself, but are easily machine-parseable by Anthropic’s servers.
The researcher further alleges that Anthropic actively tried to hide this logic. Portions of the detection code were reportedly XOR-obfuscated with the key 91, a technique commonly used to prevent plain-text string extraction during binary analysis.
In version 2.1.196, the relevant minified functions include Crt(), Rrt(e), e0t(), Zup(), edp, and Vla, which can reportedly be identified by asking Claude Code or Codex to self-reverse-engineer its own logic.
The security community has reacted strongly to the disclosure. Critics argue that, regardless of the intended use case, preventing unauthorized resale of the Claude API or model distillation by Chinese labs that covertly collect system and proxy metadata without user consent constitutes a fundamental breach of trust.
Developers who grant Claude Code broad filesystem and shell access to perform its tasks are particularly exposed; as the researcher noted, this level of access theoretically enables remote code execution.
Adding to the concern is effectiveness: such checks are trivially bypassable by any moderately skilled adversary, raising the question of whether the privacy cost to legitimate users justifies any actual security benefit.
Anthropic has not yet issued a public statement addressing the Reddit disclosure as of the time of publication.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
