The Steganography Hidden in a Coding Assistant's Prompt
What makes this incident unusual is not that a tool phoned home, but the craft with which the signal was hidden. According to reporting, the code checked whether a user's system timezone was set to Asia/Shanghai or Asia/Urumqi and scanned proxy URLs against a hardcoded list of Chinese domains and AI lab addresses [1]. That check on its own is mundane. The exfiltration path is what raised eyebrows: the result was smuggled out through the model's own system prompt using steganography. If the timezone was Chinese, the date format changed from dashes to slashes, and the apostrophe in 'Today's date is' was swapped for one of three visually identical but technically distinct Unicode characters [1].
In plain terms, a human reading the prompt would notice nothing - the punctuation looks the same - but a downstream system parsing the exact byte values could read a covert flag: this user is likely in China. To keep the logic from being spotted during routine binary analysis, the detection code was obfuscated with XOR encryption using key 91, so it would not surface in a simple plain-text string dump [2]. The mechanism had been silently present since version 2.1.91, released April 2, 2026, with no mention in the release notes [1]. It came to light only after a developer reverse-engineered the binary while restoring a disabled feature and posted the findings, after which Anthropic said the change was merged and would roll back in the next release [2]. To be precise: this is an allegation of a backdoor, and no independent security firm has confirmed that framing.



