Recent allegations have surfaced regarding Anthropic’s Claude Code CLI tool, sparking a heated debate on developer trust and privacy. Reports suggest the tool contains hidden code specifically aimed at identifying users in China or those using Chinese AI lab proxies.
Discovery of Hidden Code
The controversy began with a Reddit post by user LegitMichel777 on June 30, 2026. The user claimed to have uncovered the concealed detection logic while reverse-engineering Claude Code to restore a disabled feature in version 2.1.196. The user indicated that the hidden code has been present since version 2.1.91, released in April 2026, without any disclosure in the release notes.
The detection mechanism reportedly conducts a multi-factor verification when a proxy is identified. It checks the system’s timezone for matches with Asia/Shanghai or Asia/Urumqi, and cross-references the proxy URL against a list of Chinese domains and AI lab hostnames.
Technical Details and Implications
According to the findings, the tool uses steganography within the system prompt to transmit detection results. If a Chinese timezone or proxy is detected, subtle changes are made to the date format and apostrophe characters in the prompt message, making these alterations detectable by Anthropic’s servers but invisible to users.
LegitMichel777 further alleged that Anthropic obscured the detection code using XOR obfuscation with a key of 91, complicating plaintext string extraction during analysis. Specific functions within version 2.1.196 are identified as part of the detection mechanism, which can reportedly be reverse-engineered by the tool itself.
Community Response and Potential Risks
The disclosure has drawn significant criticism from the security community. Critics argue that such undisclosed data collection breaches user trust, regardless of its intended purpose, such as preventing unauthorized API use or model exploitation by Chinese labs. The potential for remote code execution, given the access level granted to Claude Code, is a particular concern.
Moreover, experts question the efficacy of these measures, noting that a skilled adversary could easily bypass them, potentially compromising user privacy without providing substantial security benefits. As of now, Anthropic has not publicly addressed these allegations.
The situation underscores the ongoing tension between privacy and security in software development and raises critical questions about the ethical implications of covert data collection practices.
