On 30 June a security researcher who publishes as thereallo took apart the Claude Code binary, version 2.1.196, signed by Anthropic, and found that the client had been quietly rewriting one line of its own system prompt. The line is the date. "Today's date is 2026-06-30" looks like boilerplate, and it is, right up until you notice that the apostrophe in "Today's" is not always the same apostrophe.
According to thereallo's write-up, Claude Code swaps that apostrophe between four visually near-identical Unicode characters: the plain ASCII apostrophe, the right single quote (U+2019), the modifier letter apostrophe (U+02BC), and the modifier letter prime (U+02B9). Those four states encode a two-bit classification. Separately, the date separator flips from a hyphen to a slash when the system timezone is set to Asia/Shanghai or Asia/Urumqi. The whole thing only arms when you set the ANTHROPIC_BASE_URL override, at which point the client checks your proxy hostname against two lists it stores base64-encoded and XOR-obfuscated with the key 91. The decoded keyword list reads like a roll call: deepseek, moonshot, minimax, zhipu, baichuan, stepfun, dashscope. The domain list runs to Chinese corporates like baidu and bytedance and a cluster of reseller gateways with names like claude-code-hub.app, openclaude.me and proxyai.com. The mark then rides into the system context that gets sent to Anthropic's servers, where the backend can read a four-way tag in punctuation no human was ever going to inspect.
The obvious line wrote itself within hours. The Register called it "covert code for catching Chinese competitors." Others reached for "spyware" and "tracking Chinese users." Anthropic confirmed the code was real, shipped a removal in 2.1.197, and left the changelog silent about it. Thariq Shihipar, an engineer on the Claude Code team, said the marker was "an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation," and added that "the team has landed stronger mitigations since then and we've actually been meaning to take this down for a while."
The pitch, stated fairly
Take Anthropic's account at face value, because on the anti-abuse merits it holds up. Distillation, the practice of training a cheaper model on a stronger one's outputs, has been the company's live wound all year. In February, Anthropic accused DeepSeek, Moonshot and MiniMax of running large-scale distillation campaigns against Claude through fraudulent accounts, in breach of terms that already bar Claude's use inside China. By April the major US labs had agreed through the Frontier Model Forum to share intelligence so that a ban at one triggers scrutiny at all three. In that context, a base URL pointing at a known reseller, or a hostname containing the string "deepseek," is a genuinely useful signal. If you are trying to work out which traffic is laundered access flowing toward a competitor's training run, tagging the request at the client is a cheap way to do it. thereallo, to his credit, says as much: the intent "makes sense."
The read
So the marking itself is not the story. What Anthropic chose to mark, and how little it seems to have expected the mark to catch, is the story.
Start with the target set, because it is the whole argument. This was never aimed at the median developer. It does nothing at all unless you override the base URL, and even then it only fires against a curated list of Chinese labs and reseller gateways. thereallo ran the code against his own machine, sitting in Asia/Hong_Kong with no base URL set, and got the ordinary apostrophe and the ordinary hyphenated date. The feature is a tripwire strung across a specific set of abuse channels, not a dragnet over everyone who types into a terminal. Read that way, the panicked framing is close to backwards. This is provenance tooling for the distillation war, built to fingerprint the reseller-and-competitor plumbing, and it treats the ordinary user as out of scope by design.
Here is where the counter-case deserves a real hearing rather than a wave. thereallo's actual objection is not about privacy, and it is the strongest thing in the piece: a tool that already reads your repository, runs shell commands and pushes commits is now also silently rewriting the request it sends on your behalf, using glyphs you cannot see, behind an XOR key you were not meant to find. Intent does not neutralise that. The problem is the covert channel, not the payload flowing through it today. It landed the same week the wider internet was chewing over age-verification and what one writer called the "papers, please" era, a general unease about identity being quietly attached to everything you do online, and the Claude Code find slotted straight into that mood. A developer tool that asks for this much access and then hides its own behaviour has spent trust it cannot easily earn back.
That objection is right, and the obfuscation is the part that makes it right. Anti-abuse logic you can defend in daylight. Anthropic could have shipped a line in the docs saying "when you point Claude Code at a third-party proxy, we tag the request so we can enforce our terms," and almost nobody would have blinked. The XOR key and the base64 lists are what turn a defensible enforcement measure into something that reads like it was built to survive exactly the kind of inspection thereallo performed. You do not obfuscate a feature you are prepared to explain.
The covert channel Anthropic spent the year warning about
There is a sharper contradiction underneath. For all of 2026, Anthropic's public safety argument has run the other way. Prompt injection, hidden instructions smuggled into a model's context, exfiltration through side channels: these are the named threats of the agent era, the reason the company publishes on making model inputs and outputs legible and auditable. A deliberate covert channel baked into the client cuts against that posture. It is a hidden instruction inserted into the system context, invisible to the user, decoded downstream. The mechanism is benign here and the classifier is Anthropic's own, but the shape is precisely the shape the security field spent the year trying to design out of agents. Once you have normalised a client that quietly edits the prompt for goals you cannot see, you have weakened your own strongest argument about why covert channels are dangerous.
And the weapon was weak to begin with. This is the tell that the "surveillance" reading gets wrong in the other direction: the mark is close to worthless against a serious adversary. A reseller who reads thereallo's post can normalise the date line in a proxy in about the time it takes to write the regex. It catches the careless and the unaware, not the industrial distillation pipeline it was nominally aimed at. Shihipar's own wording gives the game away. "Stronger mitigations since then" and "meaning to take this down for a while" is not the language of a prized capability. It is the language of an early experiment that was already superseded, most likely by server-side behavioural analysis that never needed the client's cooperation in the first place. The apostrophe trick was a stopgap that outlived its usefulness and then outlived its secrecy.
The closest precedent is not from AI at all. For two decades most colour laser printers have stamped nearly invisible yellow dots onto every page, encoding the printer's serial number and a timestamp, a scheme the Electronic Frontier Foundation spent years documenting. The justification was anti-counterfeiting, and it was a fair justification. The lesson was never really about the tracking. It was that once people learned their ordinary output carried an invisible mark keyed to their machine, they stopped fully trusting the device, and no press release put that back. Anthropic has just run the compressed version of that experiment on a tool it needs developers to trust more than they trust a printer.
The bet
Now that the mechanism is public, its forensic value is mostly spent, and Anthropic's response tells you it knows this. The company pulled the marker rather than move it somewhere harder to find, which is a concession that the client is the wrong place to fight distillation. So here is the falsifiable line. Watch the next several Claude Code releases. If the promised "stronger mitigations" turn out to be server-side, behaviour and account analysis that never touches the prompt, and no new hidden client-side mark appears, then client-side steganography was always a stopgap and this episode closes as a self-correcting mistake. If instead a fresh invisible mark surfaces in a later build, quieter and better hidden than the last, then Anthropic still believes the binary on your machine is the right battlefield for the distillation war, and it will spend the same trust all over again. Near as I can tell, the smart money is on the first. But I would not have bet on the apostrophe either.