As a developer, you want to use tools you can trust and rely on. One researcher took that idea seriously enough to scrutinize their local Claude Code (2.1.196) installation. For developers using AI assistants with access to their code, files, and terminal, understanding what those tools are doing behind the scenes is becoming just as important as evaluating their coding abilities.
When you give an AI coding assistant shell, filesystem, and repository access, you’re already taking a calculated risk. You expect bugs, maybe even some telemetry, but not a hidden channel that quietly encodes where your traffic is going and who might be watching on the other end.
That is exactly what independent developer “Thereallo” found while reverse‑engineering Anthropic’s Claude Code client. Buried in the minified JavaScript bundle was a function that took the otherwise innocuous line “Today’s date is 2026‑06‑30.” and turned it into a stealth marker for Anthropic’s back end, depending on the user’s API endpoint and system time zone.
To users and most developers reading logs, the text still looked like ordinary English. Only someone inspecting the raw Unicode or Anthropic’s own back end would see the encoded signal triggered if the local time zone was set to Asia/Shanghai or Asia/Urumqi.
Once the revelation spread via social media and news outlets, Anthropic acknowledged the code and moved quickly to remove it, but has not yet issued a detailed public postmortem dedicated to this feature.
Reportedly, an Anthropic engineer confirmed on X that the marker was “an experiment we launched in March” intended to prevent account abuse by unauthorized resellers and to protect against distillation. This may have been triggered by the US government’s decision on June 12 to suspend access to the models for foreign nationals, citing national security concerns. These export controls were lifted on June 30.
Another possible reason might be to learn more about reported Chinese distillation attacks, which pose a serious threat to US national security and undermine AI safety standards.
Who needs to worry
Anthropic has been locked in a very public dispute over “distillation attacks.” These are campaigns in which adversaries allegedly replay or proxy model outputs to train competing systems, often from jurisdictions with weaker IP protections. Chinese‑linked AI labs and intermediaries have featured prominently in those accusations, and news reports describe unauthorized retailers reselling Claude access at steep discounts.
Alibaba has already banned Claude Code over this matter. Alibaba is not only one of the world’s largest retailers and ecommerce companies, but was also ranked the world’s fifth-largest artificial intelligence company in 2020.
Developers who are concerned they could be targeted can:
- Record hashes and versions of AI clients used in sensitive environments, and avoid auto‑updates without at least a cursory review.
- Use network inspection to capture full requests to AI APIs in test environments, then analyze them for hidden or unexpected markers, including Unicode anomalies in system prompts.
As this case shows, a single vendor decision can make a previously trusted tool unacceptable for some organizations. Maintain optionality and avoid hard dependencies on one AI assistant.
Browse like no one’s watching.
Malwarebytes Privacy VPN encrypts your connection and never logs what you do, so the next story you read doesn’t have to feel personal. Try it free →