The steganographic backdoor that started it
The proximate cause of the ban is unusually technical for a geopolitical story. Since Claude Code version 2.1.91, released April 2, 2026 with no mention in the release notes, the client secretly checked whether a user on an active proxy was located in China, routing through a Chinese URL, or connected to a Chinese AI lab [1]. The check worked by comparing the system timezone against 'Asia/Shanghai' or 'Asia/Urumqi' and scanning the proxy URL for Chinese domains [1]. What makes it remarkable is how the result was moved: not through a network call but through barely perceptible changes to the system prompt itself, a form of steganography that included a subtly different apostrophe in 'Today's date is' [1]. The detection logic was further obfuscated with XOR encryption using key 91, so it would not surface in a simple text dump [1]. It stayed hidden until a Reddit reverse-engineer posted the deobfuscated logic on June 30, after which Anthropic merged a pull request to fully roll the feature back in its next-day release [1]. Alibaba cited exactly these 'back-door risks' when classifying the tool as high-risk [2].



