Anthropic is rolling back a covert surveillance feature in its coding tool, Claude Code, after it sparked outrage on social media. A Reddit post by user LegitMichel777 first exposed the feature, revealing that the tool had been secretly checking since version 2.1.91, released April 2, 2026, whether users with an active proxy were located in China, routing through a Chinese URL, or connected to a Chinese AI lab. The data was transmitted through barely perceptible changes to the system prompt, a form of steganography. The software compared the system timezone against 'Asia/Shanghai' or 'Asia/Urumqi' and scanned the proxy URL for Chinese domains and AI labs. Based on the results, the software tweaked the date format and swapped in a subtly different apostrophe character in the phrase 'Today's date is.' Users couldn't see the difference, but Anthropic could read it instantly. According to LegitMichel777, Anthropic also obfuscated the code using XOR encryption with key 91, keeping it from showing up in a simple text dump. The release notes for version 2.1.91 made no mention of the check. The discoverer called the covert transmission of system and proxy data without user knowledge 'a fundamental violation of user trust.' Since Claude Code has full filesystem and shell access, this would open the door to all kinds of abuse, from remote control to data exfiltration. He also argued that the check was trivial for skilled attackers to bypass, calling its usefulness into question.

Anthropic employee Thariq Shihipar, who works on the Claude Code team, described the feature on X as 'an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation.' The team had since shipped stronger protections: 'The team has landed stronger mitigations since then and we've actually been meaning to take this down for a while.' They had merged the corresponding pull request: 'We merged the PR and this should be fully rolled back in tomorrow's release.' Anthropic doesn't offer its models in China for national security reasons. Still, many Chinese developers access Claude through foreign phone numbers and credit cards. Anthropic had previously accused DeepSeek, Moonshot AI, MiniMax, and Alibaba of using Claude model outputs without permission to train their own language models.

Source: thedecoder