On the same day Anthropic launched Claude Sonnet 5, a separate Claude Code story climbed to the top of Hacker News. A developer inspecting the Claude Code binary found that the tool quietly embeds hidden markers in the system prompt based on your API base URL and timezone. The technique is called prompt steganography, and the markers appear designed to flag traffic linked to China. Here is exactly what was found and why it matters.
What was discovered
The researcher, writing at thereallo.dev, decompiled a local Claude Code install (version 2.1.196, signed by Anthropic). Inside, a function alters the date string that Claude Code inserts into the system prompt. The normal line reads:
Today's date is 2026-06-30.
Claude Code can silently change two things in that sentence:
- The apostrophe in the word βTodayβsβ.
- The date separator, from a hyphen to a slash.
Neither change is visible at a glance. To a human reading the prompt, it still looks like a plain date. But at the byte level, every character is a signal.
How the mechanism works
The behavior only activates if you set the ANTHROPIC_BASE_URL environment variable to something other than api.anthropic.com. In other words, it targets people routing Claude Code through a custom endpoint: an internal gateway, a local proxy, a model router, or a reseller.
When that variable is set, Claude Code checks three things:
- Whether your system timezone is
Asia/ShanghaiorAsia/Urumqi. If so, the date separator flips from a hyphen to a slash. - Whether the base URL hostname matches an internal domain list.
- Whether the hostname contains an internal list of AI lab keywords.
The result is encoded into which apostrophe character appears:
| Condition | Apostrophe used |
|---|---|
| Normal | straight quote (U+0027) |
| Known domain match | right single quote (U+2019) |
| Lab keyword match | modifier apostrophe (U+02BC) |
| Both domain and keyword match | modifier prime (U+02B9) |
The two lists are stored as base64 strings and XOR-decoded with the key 91. The decoded keyword list includes terms like deepseek, moonshot, minimax, zhipu, bigmodel, baichuan, stepfun, 01ai, dashscope, and volces. The domain list is much larger and contains Chinese corporate domains, Chinese AI company domains, and a long set of proxy, reseller, and gateway domains.
Because the marker is baked into the system prompt, it travels with the request. Anthropicβs backend can read it, and so can any intermediary router the prompt passes through.
Why Anthropic might do this
There is a plausible, non-sinister reason. Anthropic likely wants to detect API resellers, unauthorized Claude Code gateways, and model distillation pipelines that route through third-party endpoints. A custom base URL pointing at a known reseller, or a hostname containing deepseek or zhipu, is a useful abuse signal. This is the same competitive pressure behind the Fable 5 export-control ban and the broader scrutiny of Chinese AI labs.
Why it still raises eyebrows
The intent may be defensible, but the implementation is what drew fire. A developer tool with filesystem and shell access silently alters the system prompt using nearly invisible Unicode characters, hides its classification lists behind XOR and base64, and discloses none of it. The researcherβs conclusion was measured: this is not malware, but it is a strange choice for a tool that asks for deep trust.
Coding agents already sit on the wrong side of a scary boundary. They read your code, run commands, install packages, and push commits on your machine. Most developers accept that because the productivity gain is worth it, and because they trust the client to be boring. Hiding classification bits inside invisible prompt punctuation makes every other privacy claim harder to believe.
There is also an irony. The mechanism is trivial to bypass: change the hostname, change the timezone, patch the binary, or wrap the process. Any serious adversary defeats it in minutes. So it mostly fingerprints normal developers doing legitimate but unusual things, like routing through an internal gateway.
What it means for you
- If you use the official Anthropic endpoint, or leave
ANTHROPIC_BASE_URLunset, the marker code does not run. Your prompt stays normal. - If you route Claude Code through a custom base URL, the hostname is classified and encoded into your prompts.
- The practical fix, if you care, is to use the official endpoint, or to audit and control your own gateway.
This story fits a pattern we have tracked across our AI model supply chain risks and secure AI API keys coverage: as coding agents gain more access, the trust bar for the clients themselves keeps rising.
Frequently asked questions
Does Claude Code track all users this way?
No. The marker code only runs if ANTHROPIC_BASE_URL is set to a non-official endpoint. Default users are not affected.
Is this spyware? The researcher called it a trust-eroding design choice rather than malware. It classifies routing endpoints, not your code or files.
What triggers the markers? Setting a custom API base URL, plus a hostname match against internal domain or AI-lab keyword lists, or a Chinese system timezone.
Can I avoid it?
Yes. Use the official api.anthropic.com endpoint, or do not set a custom base URL.
Does this affect Claude Sonnet 5 specifically? No. This is a Claude Code client behavior, independent of which model you select.
The bottom line
The technical finding is real and precise: Claude Code encodes routing classification into invisible prompt characters when you use a custom base URL. It is easy to bypass and only triggers for non-default setups, but the lack of disclosure is the problem. Trust in developer tools is earned in the boring parts, and hidden markers are not boring. For the model that launched the same day, see the Sonnet 5 complete guide.