Claude Code is steganographically marking requests
2 days ago
- #developer tools
- #stealth monitoring
- #privacy
- Claude Code binary includes a function that modifies the date string in the system prompt based on conditions like timezone and API base URL hostname.
- Changes involve invisible Unicode alterations to apostrophes and date separators, used as markers to classify proxy, reseller, or AI lab domains.
- Domain and keyword lists are encoded with base64 and XOR-decryption, targeting Chinese corporate domains, AI companies, and proxy gateways.
- The feature triggers when ANTHROPIC_BASE_URL is set and hostnames match decoded lists, embedding classification data into prompts for backend parsing.
- Anthropic likely aims to detect API resellers, unauthorized gateways, and model distillation attacks, but the stealthy implementation raises privacy concerns.
- For normal users with official API endpoints or unset ANTHROPIC_BASE_URL, the function remains inactive, but it affects custom setups like internal gateways or proxies.
- The bypass is trivial (e.g., changing hostname or patching binary), making it less effective against adversaries but potentially impacting legitimate developer workflows.
- Criticism focuses on the lack of transparency; explicit telemetry or documentation would better align with trust expectations for developer tools with high access privileges.