AI coding assistants have quietly become some of the most-installed software on developers' machines. They read your files, run commands, and edit your projects. So when someone finds hidden, deliberately obfuscated code inside one of the most popular ones — Anthropic's Claude Code — people pay attention.
That's exactly what happened this week. A developer reverse-engineering Claude Code discovered a concealed mechanism that silently detects whether a user appears to be in China and encodes that verdict invisibly into the tool's prompt. Anthropic has since removed it. Here's the full, measured picture — including what the story is not.
What Happened
Buried inside Claude Code was logic that quietly checked for three signals — a Chinese timezone, a Chinese proxy domain, or a Chinese AI lab — and then stamped the result into the tool's system prompt using characters no human would ever notice. The flag was, in effect, a hidden label saying "this user looks China-based," readable by Anthropic's servers but invisible to the user.
How It Was Found
A developer posting as "LegitMichel777" shared the findings on June 30, 2026, after digging into Claude Code (version 2.1.196) while trying to restore a disabled feature. In the process, they found the detection code — and traced it back to version 2.1.91, released April 2, 2026. In other words, it had been shipping quietly for nearly three months, with nothing in the release notes to flag it.
How the Hidden Code Works
This is the clever — and unsettling — part. The mechanism uses steganography: hiding information in plain sight. It subtly rewrites the harmless-looking "Today's date is…" line of the system prompt:
| Signal detected | Invisible change to the prompt |
|---|---|
| Chinese timezone | Date format flips from 2026-07-01 to 2026/07/01 |
| Chinese proxy / AI lab | The apostrophe in "Today's" becomes a look-alike Unicode character |
To you, "Today's date is…" looks completely normal. To a machine, those tiny differences — a swapped slash, a near-identical apostrophe — encode a precise set of flags. Parts of the code were also XOR-obfuscated, a technique used to stop the plain text from being easily read during inspection. None of this is how a feature meant to be seen is usually written.
Was Anything Stolen?
Here's the important nuance the scarier headlines skip. Based on the public analysis, what was found is a detection flag in the system prompt — not proof that Claude Code was uploading your source code, files, or keystrokes. So the accurate framing isn't "spyware stole my repo."
The real problem is trust: a hidden, obfuscated mechanism was silently profiling where a user is and where they work, added without any disclosure. Even if the payload is "just a flag," the questions it raises — what else could ride along, and why hide it? — are legitimate.
Why Would Anthropic Do This?
Anthropic hasn't published a detailed rationale, so treat this as context, not confirmation. The most plausible reading is compliance and security. Anthropic's models have been squarely in the crosshairs of US export controls — we covered the ban on Fable 5 and Mythos 5 and its recent reversal. Detecting access from restricted regions, or from rival Chinese AI labs, is the kind of thing a company under that microscope might want to do.
If that's the motive, it's arguably defensible on its own. The controversy is how it was done: covertly, obfuscated, and undocumented. There's a world of difference between "we geolocate to comply with the law, and here's our policy" and hiding the mechanism in invisible characters.
Anthropic's Response
To its credit, Anthropic acknowledged the code and moved quickly, shipping Claude Code 2.1.197 to remove it soon after the disclosure. The catch: the official changelog reportedly didn't mention the removal — which, for critics, rhymed a little too closely with the original sin of shipping the code silently in the first place.
It lands at an awkward moment, too: the same week Anthropic was launching Claude Sonnet 5 and celebrating the lifted export ban. A trust story is exactly what a company racing toward an IPO doesn't want.
The Real Takeaway
- Your code probably wasn't exfiltrated. The finding is a detection flag, not evidence of data theft — and it's been removed.
- Transparency is the whole ballgame. Hidden, obfuscated behavior in a dev tool erodes trust even when the intent is benign.
- AI agents are privileged software. They run with deep access to your machine and repos; "just trust us" isn't good enough.
- Open scrutiny works. One developer reading the code forced a fix within days — a reminder of why inspectability matters.
Frequently Asked Questions
What did Claude Code reportedly do?
According to a developer's reverse-engineering, Anthropic's Claude Code contained hidden, obfuscated logic that silently detected whether a user appeared to be in China — based on their timezone, a Chinese proxy domain, or a Chinese AI lab — and encoded that result invisibly into the tool's system prompt. The signal was designed to be unreadable to humans but easily machine-parsed by Anthropic's servers.
Who discovered it and when?
A developer posting as 'LegitMichel777' shared detailed findings on June 30, 2026, after reverse-engineering Claude Code (version 2.1.196) while trying to restore a disabled feature. They reported the hidden detection code had quietly been present since version 2.1.91, released on April 2, 2026, with no mention in any release notes.
How does the hidden detection work?
It uses steganography — hiding data in plain sight. The code subtly alters the 'Today's date is…' line of the system prompt: if the timezone looks Chinese, the date format flips from 2026-07-01 to 2026/07/01, and the apostrophe in 'Today's' is swapped for one of several visually identical Unicode characters that encode whether a Chinese proxy or AI lab was detected. Portions of the code were XOR-obfuscated to resist easy inspection.
Was any user code or data stolen?
Based on the public analysis, what was found is a detection flag embedded in the system prompt, not evidence that Claude Code was uploading users' source code or files. The alarm is about transparency and trust: a hidden, obfuscated mechanism silently profiling where a user is, added without disclosure. What such a flag could enable — not proven data theft — is the core concern.
Why would Anthropic detect Chinese users?
Anthropic hasn't given a detailed public rationale, so this is context rather than confirmation. The most plausible explanation is compliance and security: Anthropic's models have faced US export-control restrictions, and labs increasingly try to detect misuse or unauthorized access from restricted regions. The controversy isn't necessarily that it wanted to know — it's that it did so covertly and obfuscated the code.
How did Anthropic respond?
Anthropic acknowledged the code was present and released a new version of Claude Code (2.1.197) to remove it, published shortly after the disclosure. Notably, the official changelog reportedly did not mention the removal — which, for critics, echoed the original problem: important changes happening without clear communication.
Should Claude Code users be worried?
For most users there's no evidence their code was exfiltrated, and the specific mechanism has been removed. The bigger takeaway is a trust one: AI coding tools run with deep access to your machine and projects, so hidden behavior — even for compliance — is a red flag. It's a reminder to treat these agents like any powerful software: understand what they do, and expect transparency.
Final Thoughts
Strip away the spy-thriller framing and this is a transparency story, not (on the evidence so far) a data-theft one. There's no proof Claude Code stole anyone's repositories, and the offending code is gone. But the way it was done — hidden in invisible characters, obfuscated, and shipped without a word — is precisely the behavior that makes people distrust the tools they increasingly depend on.
As AI agents get more capable and more deeply wired into how we build software, the bar for candor has to rise with them. The lesson here is simple and applies to every AI company: if you have a good reason to do something, say so out loud. Hiding it — even for compliance — turns a defensible decision into a scandal. We'll keep tracking how Anthropic and its rivals handle that test.