Recent findings suggest that Anthropic’s Claude Code command-line interface (CLI) tool may contain concealed mechanisms designed to identify users based in China or those utilizing proxies associated with Chinese AI laboratories. This revelation has sparked significant concerns regarding user privacy and the transparency of software practices.
A Reddit user, known as LegitMichel777, shared insights on June 30, 2026, detailing the reverse-engineering of Claude Code version 2.1.196. The investigation aimed to restore a disabled remote control feature but unexpectedly uncovered obfuscated code present since version 2.1.91, released on April 2, 2026. Notably, this code was absent from the official release notes.
The embedded code reportedly performs a series of checks when a proxy is detected. It assesses the system’s timezone settings to determine if they align with ‘Asia/Shanghai’ or ‘Asia/Urumqi’ and cross-references the proxy URL against a predefined list of Chinese domains and AI lab hostnames.
Alarmingly, the tool employs steganographic techniques to transmit detection results. Depending on the outcomes—such as identifying a Chinese timezone, proxy domain, or AI lab—the tool subtly modifies elements of the system prompt. These modifications include altering the date format to ‘2026/06/30’ for Chinese timezones and substituting the apostrophe in ‘Today’s date is’ with one of three visually similar Unicode characters. While these changes are imperceptible to users, they can be easily parsed by Anthropic’s servers.
Further analysis indicates that portions of this detection code were XOR-obfuscated using the key ’91’, a method commonly employed to hinder straightforward string extraction during binary analysis. In version 2.1.196, functions such as ‘Crt()’, ‘Rrt(e)’, ‘e0t()’, ‘Zup()’, ‘edp’, and ‘Vla’ are implicated in this process.
The security community has expressed strong reactions to these findings. Critics argue that, regardless of Anthropic’s intentions—be it preventing unauthorized resale of the Claude API or mitigating model distillation by Chinese labs—the covert collection of system and proxy metadata without user consent constitutes a significant breach of trust. Given that Claude Code requires extensive filesystem and shell access to function, users are particularly vulnerable to potential remote code execution risks.
Moreover, the effectiveness of such detection mechanisms is questionable, as they can be easily circumvented by individuals with moderate technical skills. This raises concerns about whether the potential security benefits justify the privacy implications for legitimate users.
As of now, Anthropic has not issued a public statement addressing these allegations.
This incident underscores the critical importance of transparency in software development, especially for tools that require deep system integration. Users entrust such applications with significant access to their systems, and undisclosed functionalities can erode this trust. Moving forward, it is imperative for developers to prioritize clear communication and user consent to maintain confidence in their products.
