Hidden code in Claude Code secretly flagged Chinese users

Disclosure: Some links in this article are affiliate links. AI Maestro may earn a commission if you make a purchase, at no…

By AI Maestro July 1, 2026 2 min read
Hidden code in Claude Code secretly flagged Chinese users

Anthropic is removing a covert surveillance feature from its coding tool, Claude Code, after it drew anger on social media.

A Reddit user named LegitMichel777 first exposed the capability. The post states that Claude Code has been checking since version 2.1.91, released on April 2, 2026, to see if users with an active proxy are located in China, routing through a Chinese URL, or connected to a Chinese AI lab.

Hidden signals buried in the system prompt

The data travels through barely perceptible changes to the system prompt, a form of steganography. Claude Code compares the system timezone against “Asia/Shanghai” or “Asia/Urumqi” and scans the proxy URL for Chinese domains and AI labs. Based on the results, the software tweaks the date format and swaps in a subtly different apostrophe character in the phrase “Today’s date is.” Users cannot see the difference. Anthropic can read it instantly.

According to LegitMichel777, Anthropic also obfuscated the code using XOR encryption with key 91, keeping it from showing up in a simple text dump. The release notes for version 2.1.91 made no mention of the check.

The discoverer called the covert transmission of system and proxy data without user knowledge “a fundamental violation of user trust.” Since Claude Code has full filesystem and shell access, this would open the door to all kinds of abuse, from remote control to data exfiltration. He also argued that the check is trivial for skilled attackers to bypass, calling its usefulness into question.

Anthropic calls it an experiment

Anthropic employee Thariq Shihipar, who works on the Claude Code team, described the feature on X as “an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation.” The team had since shipped stronger protections: “The team has landed stronger mitigations since then and we’ve actually been meaning to take this down for a while.” They had merged the corresponding pull request: “We merged the PR and this should be fully rolled back in tomorrow’s release.”

Anthropic does not offer its models in China for national security reasons. Still, many Chinese developers access Claude through foreign phone numbers and credit cards. Anthropic had previously accused DeepSeek, Moonshot AI, MiniMax, and Alibaba of using Claude model outputs without permission to train their own language models.

What it means

Developers using the tool will not notice the removal of the hidden checks. The software will stop altering the date format or apostrophes in prompts. Users retain full control over their data without the tool secretly flagging their location or network path.

Scroll to Top