Stealth Encoding Uncovered
Independent developer Thereallo discovered a hidden function within the minified JavaScript bundle of Anthropic’s Claude Code client (version 2.1.196). The function took an innocuous line reading “Today’s date is 2026-06-30” and transformed it into a covert marker for Anthropic’s backend servers. The encoded signal activated only when a user’s system time zone was set to Asia/Shanghai or Asia/Urumqi, allowing Anthropic to identify traffic originating from those regions without the knowledge of developers or IT administrators.
Anthropic’s Response and Rationale
Anthropic acknowledged the code after the revelation spread through social media and news outlets, then quickly removed it. The company characterized the feature as an experiment launched in March 2026, designed to prevent account abuse by unauthorized resellers and protect against distillation attacks. These measures may have been linked to US government export controls on AI models for foreign nationals enacted on June 12, which were subsequently lifted on June 30. The broader context includes ongoing tensions over Chinese-linked AI labs reportedly using distillation to replicate proprietary models, a practice Alibaba had already responded to by banning Claude Code on its platforms.
Implications for Developers and Organizations
This incident highlights the importance of vetting AI coding assistants that require deep system access. Developers working in sensitive environments should record hashes and versions of AI clients, avoid automatic updates without review, and use network inspection to detect hidden markers in API requests, including Unicode anomalies in system prompts. The case also demonstrates the risk of hard dependencies on a single AI assistant, as vendor decisions can instantly render a trusted tool unacceptable for certain organizations. Maintaining optionality across multiple providers helps mitigate this exposure.
Source: Malwarebytes

