NOW LET US – AI RAG SaaS Studio TP.HCM
NOW LET US
Digital Product Studio
Back to news
DEV-TOOLS...3 min read

Claude Code is steganographically marking requests

Share
NOW LET US Article – Claude Code is steganographically marking requests

Claude Code has been found to silently alter system prompts using invisible Unicode characters to track API requests. This steganographic technique is used to detect unauthorized API resellers and model distillation, raising privacy and trust concerns among developers.

I was inspecting Claude Code for privacy reasons.

Most devs give their harnesses ridiculous access. FS, shell, git, browser access, even computer use nowadays. That is the whole point. They need enough context to do useful work.

That also means the client itself deserves scrutiny. If a coding agent can read your repo and run commands, the binary that ships it should be boring (ƒor example, pi harness)

So I took a look at my local Claude Code (2.1.196) install.

Inside the Claude Code binary, there is a function that changes the current date string inserted into the system prompt.

The normal string looks like this:

text

Claude Code can silently change two things:

  • The apostrophe in Today's

  • The date separator, from -

to/

Here is the relevant code, cleaned up from the minified bundle:

js

This is prompt steganography, a technique used to hide data in plain sight.

The visible sentence still reads like a normal date. The model and the user see something boring. The raw request contains a marker.

js

The trigger is

ANTHROPIC_BASE_URL

, Claude Code's API base URL override.Then it checks if:

  • the system timezone is Asia/Shanghai

orAsia/Urumqi

  • the API base URL hostname matches a decoded domain list
  • the hostname contains specific AI lab keywords

The timezone check changes:

text

into:

text

The hostname check changes the apostrophe:

| Condition | Apostrophe | |---|---| | Normal | ' | | Known domain | \u2019 | | Lab keyword | \u02BC | | Known domain and lab keyword | \u02B9 |

These are visually tiny changes you would never notice in most mono fonts.

The domain and keyword lists are stored as base64 strings and XOR-decoded with key

91

js

The decoded lab keyword list is:

text

The decoded domain list is much larger. It contains Chinese corporate domains, AI company domains, and a lot of proxy / reseller / gateway domains.

Some examples:

text

The date function is used when building the agent context:

js

So the marker becomes part of the system context sent to the model. (Where Anthropic probably parses in their backend)

My installed binary is signed by Anthropic:

text

My current shell had

ANTHROPIC_BASE_URL

unset, and my timezone was:text

So on my machine, under my current environment, this path would produce the normal apostrophe and the normal

YYYY-MM-DD

date string.Anthropic probably wants to detect API resellers, unauthorized Claude Code gateways, and model "distillation attack" pipelines. A custom

ANTHROPIC_BASE_URL

pointing at a known reseller domain is a useful signal. A hostname containing deepseek

or zhipu

is also a useful signal.That part makes sense, but the implementation is weird.

CC silently alters the system prompt using invisible-ish Unicode markers. It encodes proxy / gateway classification into a sentence that looks like plain English. It hides the domain list behind XOR and base64. This is not a malicious feature, but it is a weird choice for a developer tool that asks for trust.

Coding agents already live on the wrong side of a scary boundary. They can inspect code, summarize secrets by accident, run commands, install packages, edit files, and push commits on

your local machine. Most developers accept that because the productivity gain is worth the risk.Trust from real developers depends on the boring behavior.

If the client wants to detect custom API gateways, it can say so plainly. It can send an explicit telemetry field with documentation. It can make the policy visible. It can put the behavior in release notes.

Hiding the signal in the system prompt makes every other privacy claim harder to believe.

For most users, this path probably stays inactive.

If you are using the official Anthropic API endpoint,

Crt()

returns early. If ANTHROPIC_BASE_URL

is unset, Crt()

returns early. If you are using a normal setup, the date prompt stays "boring".The interesting case is people routing CC through a custom base URL. That includes:

  • Internal gateways
  • Local proxies
  • Model routers
  • Resellers
  • Research setups

In that case, Claude Code classifies the hostname and encodes the result into the prompt.

The bypass is also trivial. Change hostname, change timezone, patch the binary, wrap the process. Any serious adversary can make this signal useless.

So the feature mostly punishes the exact people who are easier to fingerprint: normal developers doing weird but legitimate things.

I think this could have been explicit.

Developer tools can enforce terms. API providers can detect abuse. Companies can protect their models.

When a tool with filesystem and shell access starts hiding classification bits inside invisible prompt punctuation, the correct reaction is scrutiny.

Trust is earned in the boring parts.

© 2026 Now Let Us. All rights reserved.

Source: Hacker News

Advertisement
Ad slot ready: 5887729102

More in this category

NOW LET US Related – Matrix Orthogonalization Improves Memory in Recurrent Models

dev-tools

Matrix Orthogonalization Improves Memory in Recurrent Models

By orthogonalizing the mLSTM memory matrix during reads, researchers have significantly improved Noisy Associative Recall (NAR) performance, offering a viable alternative to computationally expensive Transformers in long-horizon tasks.

NOW LET US Related – The first early human eggs from stem cells

dev-tools

The first early human eggs from stem cells

Scientists have made a historic breakthrough by successfully developing the first early human eggs from stem cells using in vitro gametogenesis (IVG). This revolutionary technology could redefine human reproduction, offering new hope for infertility treatments without invasive procedures.

NOW LET US Related – ArXiv's Next Chapter

dev-tools

ArXiv's Next Chapter

On July 1, 2026, arXiv will spin out from Cornell University to become an independent nonprofit organization, aiming for greater flexibility while maintaining its core mission of free, open-access science.

NOW LET US Related – Department of Commerce has lifted export controls on Claude Fable 5 and Mythos 5

dev-tools

Department of Commerce has lifted export controls on Claude Fable 5 and Mythos 5

The US Department of Commerce has lifted export controls on Anthropic's Claude Fable 5 and Mythos 5 models. Anthropic plans to restore access starting tomorrow, marking a significant milestone for the AI startup.

NOW LET US Related – Google copybara: moving code between repositories

dev-tools

Google copybara: moving code between repositories

Copybara is a tool open-sourced by Google that transforms and moves source code between different repositories, enabling seamless synchronization between public and private codebases.

NOW LET US Related – Claude Sonnet 5

dev-tools

Claude Sonnet 5

Anthropic has launched Claude Sonnet 5, its most agentic model yet, offering near-Opus 4.8 performance at a fraction of the cost.

EXPLORE TOPICS

Discover All Categories

Deep dive into the specific technology sectors that matter most to you.