The Invisible Ink Hidden in Your Coding Agent
The most striking thing about this episode is not that Anthropic tried to catch Chinese users - it is how quietly and cleverly it did so. According to the researcher who reverse-engineered the tool, Claude Code read the machine's system timezone to see if it matched Asia/Shanghai or Asia/Urumqi, and scanned proxy URLs against a hardcoded list of Chinese domains and AI-lab identifiers [1]. When a Chinese timezone was detected, the software did not pop up a warning or block the session. Instead, it altered the Claude Code system prompt using steganography - a way of hiding a signal inside ordinary-looking text. The date format silently flipped from dashes to slashes, turning something like 2026-06-30 into 2026/06/30, and ordinary apostrophes were swapped for visually identical Unicode characters [1]. To a human these edits are invisible; to Anthropic's servers they are a fingerprint saying this session came from China.
What elevated the reaction from annoyance to alarm was the obfuscation and the timing. Portions of the detection code were reportedly scrambled with an XOR cipher using the key 91, a trick specifically meant to stop plain-text strings from being pulled out during binary analysis [1]. The logic had shipped silently since version 2.1.91 in early April 2026 with nothing in the release notes [2]. Because Claude Code is an agent with real filesystem and shell access, the researcher argued that this depth of hidden behavior could theoretically enable remote code execution, and critics called the covert metadata collection a fundamental breach of trust [1]. Anthropic did not deny the code existed; it removed it and merged the deletion the day after the disclosure went public [2].



