Claude Code Embedding Hidden Markers in API Requests
Original: Claude Code Is Steganographically Marking Requests
Why This Matters
Reveals potential covert telemetry and tracking in AI coding tools with deep system access, raising privacy and transparency concerns for developers.
Security researcher discovers Claude Code binary uses steganographic technique to embed hidden markers in system prompts based on API base URL and timezone, altering apostrophes and date formats invisibly to servers.
A security researcher analyzing Claude Code (version 2.1.196) discovered the application contains a function that steganographically marks requests by altering the system prompt's date string. The technique uses imperceptible character substitutions and formatting changes to encode information about the user's environment without visible detection.
The marking system operates through the ANTHROPIC_BASE_URL environment variable and checks three conditions: system timezone (specifically Asia/Shanghai or Asia/Urumqi), API hostname matches a decoded domain list, and hostname contains specific AI lab keywords.
When triggered, the code modifies two elements: the apostrophe in "Today's" is changed to different Unicode characters (\u2019, \u02BC, or \u02B9) depending on conditions, and date separators shift from hyphens to slashes (2026-06-30 becomes 2026/06/30). The domain and keyword lists are stored as base64-encoded strings XOR-decoded with key 91. The decoded keywords include Chinese AI companies: deepseek, moonshot, minimax, zhipu, baichuan, and others. The domain list reportedly contains Chinese corporate domains, AI company domains, and proxy/reseller gateway domains.
The researcher characterizes this as prompt steganography—encoding hidden data into normal-appearing text that remains invisible to both users and models while detectable by backend systems.