The NVDB alert did not come from nowhere. It was the culmination of a week-long public controversy involving independent security researchers, a Reddit leak, and a broader U.S.-China AI cold war playing out in developer tooling.
On June 30, 2026, a developer publishing under the handle Thereallo at thereallo.dev reverse-engineered the Claude Code binary and discovered that it had been silently embedding user-environment fingerprints into its own system prompt for roughly three months . The technique, now widely referred to as "prompt steganography," relied on several methods:
Date-string manipulation: Claude Code silently altered the system prompt date line — switching between a curly apostrophe (ʼ) and a straight apostrophe (') in "Today's," and swapping date separators from dashes (2026-06-30) to slashes (2026/06/30) — depending on the API base URL the user had configured . These look-alike Unicode variations were invisible to the user but acted as unambiguous tracking markers readable by Anthropic's servers.
Proxy and location fingerprinting: The mechanism was triggered when the ANTHROPIC_BASE_URL environment variable was set to a non-Anthropic endpoint — a sign that traffic was being routed through a third-party proxy. The tool then encoded the proxy hostname against an XOR-obfuscated list of competitor domains . The hidden markers checked whether traffic was routed through Chinese AI labs, proxy resellers, or was otherwise China-linked
. One analysis found the tool inspected a hardcoded list of 25+ Chinese domains
.
Chinese-user detection introduced in version 2.1.91: Claude Code version 2.1.91, released April 2, 2026, secretly embedded Chinese user detection logic via steganography in its system prompt. This was first exposed by Reddit user LegitMichel777, who reverse-engineered the obfuscated code on June 30 . The technique involved swapping apostrophes and date formats to encode location data not visible to users
.
Scope and duration: The fingerprinting code was present in over 90 versions of Claude Code without any disclosure in release notes , spanning at least three months before public exposure on June 30, 2026
. An anonymous Anthropic employee described it as an "experiment" that began in March
.
The Washington Post reported that Anthropic's apparent goal was "unmasking the Chinese rivals the company suspected of hijacking its technology to make their own AI tools smarter" — i.e., detecting model distillation or unauthorized API usage by Chinese firms . This practice, known as "distillation," involves using the outputs of a large model to train a smaller, cheaper model, and is a common concern for frontier AI companies.
Anthropic's response unfolded in two phases, reflecting the dual nature of the controversy.
On the steganography (early July 2026): After the discovery went public on June 30, Anthropic confirmed it was removing the hidden steganography code and rolling back the tracking feature in version 2.1.197, released July 1, 2026 . The company described it as an "anti-abuse experiment" intended to detect unauthorized API use and model distillation by Chinese competitors
. Anthropic maintained that the tracking was not intended for user surveillance but to protect against intellectual property theft — specifically, to identify Chinese firms that were suspected of using Claude's outputs to train rival models
.
On the NVDB backdoor alert (July 8–9, 2026): In response to China's formal security warning, Anthropic changed tack. The company stated that users in China were never authorized to use Claude Code in the first place and had been accessing the tool in violation of its terms of service . Anthropic effectively argued that the alleged "backdoor" was a countermeasure against unauthorized users who should not have had access to the software
. This retort drew sharp criticism from privacy advocates, who noted that the covert nature of the tracking, combined with its lack of disclosure, constituted a breach of trust regardless of the user's geographic location or terms-of-service status.
The incident triggered immediate and significant corporate responses. On July 3, 2026 — before the NVDB alert — Alibaba Group had already banned Claude Code across its workforce, effective July 10, after an internal security review classified the developer tool as "high-risk software with security vulnerabilities" . The Chinese tech giant's move was a rare public corporate response that signaled how seriously Chinese firms viewed the tracking code.
The episode is widely framed as a new front in U.S.-China AI tensions over intellectual property, model security, and supply-chain trust . The Washington Post described it as part of a broader "covert U.S.-China battle" where each side attempts to detect and counter the other's intelligence-gathering activities in AI
. The fact that the tracking code was discovered through community reverse engineering — rather than disclosed by Anthropic — deepened the crisis of trust in developer-facing AI tooling.
The Claude Code steganography incident carries several practical lessons for developers and organizations using AI coding tools:
Anthropic's own Responsible Disclosure program acknowledges vulnerabilities in Claude Code and its containment architecture . The company has since patched the steganographic code, but the incident remains the most significant trust breach in developer-facing AI tooling to date
.