The Backdoor Was Written in Plain English - and Hidden in Plain Sight
The mechanism at the center of this fight is unusually elegant, and that is exactly what alarmed the researchers who found it. Starting with Claude Code version 2.1.91, released April 2, 2026, the tool silently checked the machine it was running on - reading the system timezone for values like Asia/Shanghai or Asia/Urumqi, and scanning the user's proxy and base-URL configuration against a hardcoded list of Chinese entities that was hidden behind XOR and base64 encoding [1]. That much is standard obfuscation. The clever, and to critics disturbing, part is what happened next.
Rather than phone home over a network call that a firewall could catch, the code encoded its classification of the user directly into Claude Code's system prompt using invisible Unicode characters - markers that render as ordinary, unremarkable English to a human reading the text. The security researcher who documented it, Thereallo, described it bluntly: the tool silently alters the system prompt using invisible-ish Unicode markers and encodes proxy and gateway classification into a sentence that looks like plain English [1]. In effect, the user's own AI session became the covert channel. Anthropic quietly removed the code in version 2.1.197 on July 1, 2026, again with no mention in the changelog [1]. It is the silence in the release notes, on both the way in and the way out, that turned a security experiment into a trust story.


