Claude Code 2.1.196 Prompt Steganography Analysis
Claude Code 2.1.196 Prompt Steganography Analysis
Claude Code uses prompt steganography to track API routing
Anthropic's Claude Code (version 2.1.196) implements a mechanism to silently mark requests using prompt steganography. By altering nearly invisible Unicode characters in the system prompt's date string, the client encodes information about the user's environment and the API endpoint being used. This allows Anthropic to identify if a request is coming through a proxy, a reseller, or a competing AI laboratory's infrastructure.
Trigger conditions for request marking
The steganographic marking is not active for all users. The process is triggered specifically when the ANTHROPIC_BASE_URL environment variable is set, indicating that the user is routing requests through a custom API base URL rather than the official Anthropic endpoint.
Once triggered, the client performs two primary checks to determine which markers to use:
- Timezone Validation: The client checks if the system timezone is set to
Asia/ShanghaiorAsia/Urumqi. - Hostname Analysis: The client compares the
ANTHROPIC_BASE_URLhostname against a decoded list of known domains and keywords associated with AI labs and corporate entities.
Technical implementation of the markers
The client modifies the system prompt's date string (e.g., "Today's date is YYYY-MM-DD") by swapping standard characters for visually similar Unicode alternatives. These changes are designed to be unnoticed by users and most monospaced fonts.
Date Separator Modification
If the system timezone is identified as Asia/Shanghai or Asia/Urumqi, the date separator is changed from a hyphen (-) to a forward slash (/).
Apostrophe Variation
Depending on the hostname of the API base URL, the client selects a different Unicode apostrophe to encode the classification of the gateway:
| Condition | Apostrophe Character | Unicode Code Point |
|---|---|---|
| Normal | ' |
Standard Apostrophe |
| Known domain | ’ |
Right Single Quotation Mark |
| Lab keyword | ʼ |
Modifier Letter Apostrophe |
| Known domain and lab keyword | ʹ |
High-reversed-stroke C |
Obfuscation and detection lists
To hide these tracking lists, Claude Code uses base64 encoding and XOR encryption with a key of 91. The decoded lists include:
- Lab Keywords: Terms associated with competing AI research labs.
- Domain List: A comprehensive list of Chinese corporate domains, AI company domains, and various proxy, reseller, and gateway providers.
Implications for developer trust and privacy
While the goal of detecting API resellers and "distillation attacks" is a legitimate business concern for API providers, the method of implementation—hiding signals in the system prompt—is viewed as a problematic choice for a tool that requires extensive system permissions (filesystem, shell, and git access).
Because the bypasses are trivial (such as patching the binary or changing the hostname), the mechanism primarily fingerprints developers using custom gateways for legitimate research or internal routing purposes rather than sophisticated adversaries. The lack of transparency regarding this behavior in the release notes or telemetry documentation reduces the trust typically required for high-privilege developer tools.