Index  ›  ai  ›  The Decoder

Hidden code in Claude Code secretly flagged Chinese users

The Decoder Published Jul 1, 2026 Reviewed Jul 3, 2026 ✓ Reviewed by citations.press editors
Citation-ready fact
Claude Code version 2.1.91, released on April 2, 2026, included a covert surveillance feature that checked whether users were located in China, routing through a Chinese URL, or connected to a Chinese AI lab.
2 · Claude Code versions2026 · release year4 · release month2 · release day
View source ↗
Citation-ready fact
The covert surveillance feature used XOR encryption with key 91 to obfuscate the code.
91 · XOR encryption key
View source ↗
Citation-ready fact
Anthropic employee Thariq Shihipar stated the covert feature was "an experiment we launched in March" intended to prevent account abuse from unauthorized resellers and protect against distillation.
3 · launch month
View source ↗
Citation-ready fact
Anthropic does not offer its models in China for national security reasons.
View source ↗
Citation-ready fact
Anthropic had previously accused DeepSeek, Moonshot AI, MiniMax, and Alibaba of using Claude model outputs without permission to train their own language models.
4 · accused companies
View source ↗
Citation-ready fact
Thariq Shihipar stated that the team had merged the pull request to roll back the feature and it should be fully rolled back in tomorrow's release.
1 · rollout releases
View source ↗

Anthropic is rolling back a covert surveillance feature in its coding tool Claude Code after it sparked outrage on social media.

Reddit post by user LegitMichel777 first exposed the feature. According to the post, Claude Code has been secretly checking since version 2.1.91, released April 2, 2026, whether users with an active proxy are located in China, routing through a Chinese URL, or connected to a Chinese AI lab.

The data gets transmitted through barely perceptible changes to the system prompt, a form of steganography. Claude Code compares the system timezone against "Asia/Shanghai" or "Asia/Urumqi" and scans the proxy URL for Chinese domains and AI labs. Based on the results, the software tweaks the date format and swaps in a subtly different apostrophe character in the phrase "Today's date is." Users can't see the difference. Anthropic can read it instantly.

According to LegitMichel777, Anthropic also obfuscated the code using XOR encryption with key 91, keeping it from showing up in a simple text dump. The release notes for version 2.1.91 made no mention of the check.

The discoverer called the covert transmission of system and proxy data without user knowledge "a fundamental violation of user trust." Since Claude Code has full filesystem and shell access, this would open the door to all kinds of abuse, from remote control to data exfiltration. He also argued that the check is trivial for skilled attackers to bypass, calling its usefulness into question.

Anthropic employee Thariq Shihipar, who works on the Claude Code team, described the feature on X as "an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation." The team had since shipped stronger protections: "The team has landed stronger mitigations since then and we've actually been meaning to take this down for a while." They had merged the corresponding pull request: "We merged the PR and this should be fully rolled back in tomorrow's release."

Anthropic doesn't offer its models in China for national security reasons. Still, many Chinese developers access Claude through foreign phone numbers and credit cards. Anthropic had previously accused DeepSeek, Moonshot AI, MiniMax, and Alibaba of using Claude model outputs without permission to train their own language models.

This article was originally published by The Decoder ↗. citations.press indexes the source-backed facts above and links to the original. Something wrong? Corrections policy · Report an error