Is Claude Code Spyware?
Inside Anthropic's Hidden Unicode Fingerprint

Silent browser injection · Prompt steganography · Anti-distillation motive · Six-step runbook · Vendor trust boundaries

Claude Code system prompt showing U+2019 apostrophe fingerprint
In late June 2026, a developer reverse-engineering Claude Code found that when routed through a custom proxy (ANTHROPIC_BASE_URLapi.anthropic.com), it quietly rewrites the Today's date is... line of its system prompt. By swapping visually identical Unicode apostrophes and date separators, it encodes China timezone and domain/lab matches—a textbook covert channel. Anthropic removed the code in 2.1.197. This post gives developers and compliance leads: ① Incident A (Desktop browser injection) vs B (Code steganography); ② the full Unicode mapping table; ③ anti-distillation motive and HN debate; ④ a six-step protection runbook; ⑤ hard data and a stance on AI vendor trust boundaries.
01

What actually happened? Two separate Claude incidents

TL;DR: This blew up as two distinct stories stacked together. Incident A (April 2026): Claude Desktop silently writes browser Native Messaging manifests. Incident B (June 30, 2026): Claude Code hides Unicode fingerprints in system prompts. The latter only triggers with a non-official Base URL—not on every conversation.

A

Incident A (April 2026, Alexander Hanff disclosure): Installing Claude Desktop on macOS allegedly writes com.anthropic.claude_browser_extension.json into Chrome, Edge, Brave, Arc, Vivaldi, Opera directories—pre-authorizing three extension IDs to call chrome-native-host outside the browser sandbox. Directories are created even for browsers not installed; deletion is reversed on restart. Independent consultant Noah Kenney (Digital 520) confirmed Hanff's claims; Antiy Labs published a dedicated risk analysis. Anthropic has not formally responded; later versions added an authorization toggle but the underlying permission model persists.

B

Incident B (June 30, 2026, thereallo.dev reverse engineering): When ANTHROPIC_BASE_URL ≠ api.anthropic.com, the Today's date is... system prompt line is rewritten via date separator and Unicode apostrophe swaps. Versions 2.1.193, 2.1.195, and 2.1.196 all contained the logic per the reverse engineer. HN thread hit front page within hours: 350+ points, 100+ comments.

C

Fix timeline: Anthropic acknowledged the code. July 1, 2026 release 2.1.197 removed it—the changelog did not mention the change.

D

Labels differ: Incident A drew "spyware" / "backdoor" tags; Incident B drew "prompt steganography" / "covert channel."

E

Compliance wording: Use "alleged," "per the reverse engineering report," and "disclosed by" throughout. Separate intent (anti-distillation) from method (steganography).

DimensionIncident A: Silent browser injectionIncident B: System prompt steganography
ProductClaude Desktop (macOS client)Claude Code (CLI coding tool)
SourceAlexander Hanff (The Register)thereallo.dev → Reddit → HN
DateApril 2026 (~4/18 onward)June 30, 2026
TriggerInstall/start Claude DesktopOnly when ANTHROPIC_BASE_URL is non-official
Core behaviorNative Messaging manifest; pre-auth extensions call sandbox-external hostRewrites Today's date Unicode and date format
02

How does Claude Code detect China proxy? Unicode fingerprint table

Precondition: triggers only when ANTHROPIC_BASE_URL points somewhere other than api.anthropic.com (proxy, gateway, reseller, OpenAI-compatible layer). The official endpoint is untouched. Classification signals hide inside the innocent Today's date is ... line.

Detected conditionDate formatApostrophe in Today'sUnicode
Default (no match)2026-06-30' ASCII apostropheU+0027
China-linked org/reseller domain2026-06-30' right single quoteU+2019
AI-lab keyword match2026-06-30ʼ modifier letter apostropheU+02BC
Both domain and lab2026-06-30ʹ modifier letter primeU+02B9
+ China timezone2026/06/30 (/ separator)(same rules)

China timezones: Asia/Shanghai or Asia/Urumqi. Domain/keyword lists use base64 + XOR (key 91) obfuscation—roughly 147 domain patterns including deepseek, moonshot, zhipu, minimax, baichuan, stepfun, 01ai. To a human the prompt looks ordinary; to Anthropic's backend, one apostrophe's code point reveals: VPN user, China timezone, possibly a Chinese AI lab. A textbook covert channel.

bash
echo $ANTHROPIC_BASE_URL
python3 -c "s=\"Today's\"; print([hex(ord(c)) for c in s if c in \"''ʼʹ\"])"
grep -r "com.anthropic.claude_browser_extension" ~/Library/Application\ Support/*/NativeMessagingHosts/ 2>/dev/null

Tip: U+0027 and U+2019 look identical in most terminals. Use hex dumps or Python ord() to confirm fingerprinting.

03

Why did Anthropic do this? Is Claude Code actually spyware?

Community consensus is measured: almost certainly anti-distillation and anti-unauthorized reselling. Anthropic, OpenAI, and Google have publicly worried about competitors harvesting API outputs to train smaller models. China-linked resellers, proxies, and labs are prime suspects. Intent is defensible; method is not. Invisible punctuation, obfuscated binary code, shipped on every request—in a developer tool that lives on trust—crosses a line.

On Hacker News the thread split hard: "reasonable anti-distillation defense" vs "malware-adjacent behavior for a dev tool."

"Spyware" is a loaded word. More precisely: Incident A is unauthorized tampering with third-party software plus a dormant, pre-positioned attack surface—even unexploited, it pre-installs a high-privilege channel outside the browser sandbox. Anthropic's own numbers put Claude for Chrome prompt-injection success at 23.6% unmitigated / 11.2% mitigated. Incident B is undisclosed telemetry / covert user classification. Whatever label you use, the core issue: no informed consent, deliberately hidden.

04

How to stop Claude Desktop native messaging? Six-step runbook

01

Check Base URL: Run echo $ANTHROPIC_BASE_URL. Empty or official api.anthropic.com means Incident B won't trigger. Proxy/gateway users are in the classification target set.

02

Upgrade Claude Code: Ensure version ≥ 2.1.197 (July 1, 2026, steganography removed). Run claude --version.

03

Unicode self-check: Inspect each character in Today's from captured system prompts. U+0027 is normal; U+2019/U+02BC/U+02B9 means flagged.

04

Audit Native Messaging (Incident A): On macOS check ~/Library/Application Support/<browser>/NativeMessagingHosts/com.anthropic.claude_browser_extension.json. Delete as needed; Claude Desktop may recreate on restart.

05

Timezone audit: Verify system timezone. With non-official Base URL plus Asia/Shanghai or Asia/Urumqi, date separator switches from - to /.

06

Enterprise hardening: Evaluate desktop Agent use in production. Least privilege, explicit authorization, auditable behavior. Isolate Claude Desktop from browser Native Messaging in sensitive environments.

05

Citable hard data: Claude Code fingerprint incident parameters

A

Domain rule count: ~147 patterns, base64 + XOR(91) obfuscated; keywords include deepseek, moonshot, zhipu, minimax, baichuan, stepfun, 01ai.

B

Affected versions: 2.1.193 / 2.1.195 / 2.1.196 confirmed; removed in 2.1.197 (2026-07-01).

C

HN community heat: Front page within hours—350+ points, 100+ comments. Claude for Chrome prompt-injection: 23.6% unmitigated / 11.2% mitigated (Anthropic-disclosed, Incident A risk context).

Note: The real lesson is not "an apostrophe." When model capability races ahead while security boundaries and auditability lag, vendors cross trust lines in the name of UX or abuse prevention. Default to distrust; demand disclosure over concealment; enforce least privilege.

Teams running Claude Code for iOS CI/CD and AI Agent automation on local Macs face permission sprawl and covert telemetry risk; shared VM isolation falls short of dedicated bare metal. For a stable, auditable, 24/7 Apple Silicon production environment, MESHLAUNCH Mac Mini cloud rental is usually the better choice: dedicated M4/M4 Pro, flexible daily/weekly/monthly billing, physical isolation from Claude Desktop's high-privilege local channels—Agent workloads on controlled cloud nodes.

Sources: The Register (Claude Desktop permissions, 2026-04); Malwarebytes / gHacks / YOOTA; thereallo.dev (original reverse engineering); Tech Startups / TMC Insight / Developers Digest / TechTimes (2.1.197 fix); Antiy Labs risk analysis.

FAQ

Not in the classic sense, but per the reverse engineering report it embedded an undisclosed, obfuscated fingerprint to flag China-linked proxy users. Removed in 2.1.197. Best described as an undisclosed covert channel.

It checked Asia/Shanghai and Asia/Urumqi only with a non-default ANTHROPIC_BASE_URL. Official endpoint users were unaffected.

Today's apostrophe swapped between U+0027, U+2019, U+02BC, U+02B9 encoding domain matches, lab keywords, both, or neither. See the mapping table above.

No. April 2026 Claude Desktop Native Messaging injection is Incident A. June 30 Claude Code prompt steganography is Incident B—different products and triggers.

Most likely anti-distillation and unauthorized reselling detection. The controversy is the hidden, obfuscated method. See our pricing page for isolated deployment options.

Incident B only triggers in Claude Code with non-official ANTHROPIC_BASE_URL. Standard web users on the official endpoint are unaffected.

Delete com.anthropic.claude_browser_extension.json under ~/Library/Application Support/<browser>/NativeMessagingHosts/. Claude Desktop may recreate it. Check the help center for related guidance.

Anthropic acknowledged and removed it in 2.1.197 on July 1, 2026. The changelog did not mention the change. Upgrade immediately and verify your version.