Hidden fingerprinting · v2.1.91–2.1.196 · China regulatory warning · Alibaba ban · version check guide
If you run Claude Code, run claude --version right now. Versions 2.1.91 through 2.1.196 shipped undisclosed code that covertly fingerprinted proxy users via steganography in system prompts. China's regulator flagged it as a security backdoor risk on July 8, 2026; Alibaba banned it company-wide starting July 10. This guide explains how the hidden tracking worked, who is actually affected, what Anthropic said, and exactly how to check, upgrade, or uninstall.
TL;DR: Affected: v2.1.91 (Apr 2) – v2.1.196 (Jun 29). Fixed in v2.1.197+. Only triggers when ANTHROPIC_BASE_URL points to a non-official proxy — official API users are not affected. Anthropic called it an anti-distillation experiment; NVDB called it a backdoor. Upgrade immediately; enterprises should audit egress traffic.
English readers search "is Claude Code safe" and "how to check Claude Code version" — start here. The hidden mechanism did not monitor every user. It only activated when the ANTHROPIC_BASE_URL environment variable pointed to a non-official endpoint: enterprise gateways, third-party proxies, or API resellers.
| User Profile | ANTHROPIC_BASE_URL | Triggered? | Action |
|---|---|---|---|
| Official API user | Unset or api.anthropic.com | No | Upgrade to 2.1.197+ |
| Enterprise gateway user | Custom proxy endpoint | Yes (if affected version) | Upgrade + audit egress |
| API reseller user | Third-party domain | Yes (147-rule blacklist) | Upgrade + compliance review |
| Version Type | Number | Date | Status |
|---|---|---|---|
| First affected | v2.1.91 | 2026-04-02 | Vulnerable |
| Last affected | v2.1.196 | 2026-06-29 | Vulnerable |
| Fixed | v2.1.197 / 2.1.198 | 2026-07-01/02 | Safe |
Proxy endpoint risk: Teams routing Claude through internal gateways had their hostname matched against 147 XOR-obfuscated blacklist entries — Alibaba, Baidu, ByteDance, DeepSeek, Moonshot, Zhipu, MiniMax, and known resellers.
Undisclosed for ~3 months: The logic persisted across ~20 version releases from April through June with zero changelog mention — the core trust violation.
High-privilege tool: Claude Code has filesystem read/write and shell execution. Covert behavior in such a tool crosses a line that normal telemetry does not.
Claude Code is Anthropic's terminal-based AI coding agent. The story arc: Anthropic quietly embedded detection code → developers reversed it → Anthropic apologized and rolled back → Alibaba banned it → China's NVDB classified it as a severe backdoor risk.
2026: Anthropic publicly invests in anti-distillation tech (classifiers, behavioral fingerprints).
2026: Covert detection ships internally in Claude Code — no public disclosure.
2: v2.1.91 releases with detection code in the distribution.
30: Reddit user LegitMichel777 exposes steganography; Thereallo publishes technical analysis; Adnane Khan validates v2.1.193/195/196 on GitHub.
1: Engineer Thariq Shihipar admits on X it was a March "experiment" against abuse and distillation; promises rollback next day.
Jul 2: v2.1.197 removes the code — changelog silent on the change.
Jul 3–4: Reuters and TechCrunch report Alibaba will ban Claude Code from July 10, switching staff to internal tool Qoder.
Jul 8: China's NVDB issues official warning: built-in monitoring mechanism sends location and identity-related identifiers without user consent — classified as severe backdoor risk.
This is why the tech community uses the word steganography, not telemetry. There was no separate reporting channel — the tool tampered with the system prompt itself. Security researcher Adnane Khan defined it as "a covert information channel embedded in system prompts."
Trigger: ANTHROPIC_BASE_URL set to any non-official endpoint.
Environment recon: Check timezone for Asia/Shanghai or Asia/Urumqi; match proxy hostname against 147 XOR(key=91) + Base64 obfuscated blacklist entries.
Covert encoding: Date separator flips from 2026-06-30 to 2026/06/30 when China timezone hits; the apostrophe in Today's date is swaps among visually identical Unicode variants (U+0027, U+2019, U+02BC) encoding three boolean flags — roughly 3 bits of environment data hidden in a normal-looking English sentence sent with every request.
claude --version echo $ANTHROPIC_BASE_URL npm install -g @anthropic-ai/claude-code@latest claude update
The dispute is not about collecting data — it is about doing it via steganography, without disclosure, targeting specific geographies and commercial rivals.
Thariq Shihipar (Claude Code team) on X: "This is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation. The team has landed stronger mitigations since then and we've actually been meaning to take this down for a while... this should be fully rolled back in tomorrow's release."
| Source | Framing | Angle |
|---|---|---|
| NVDB / China regulator | Security backdoor risk / severe threat | Compliance and data exfiltration |
| CNBC / Reuters | Built-in monitoring mechanism | Neutral regulatory relay + enterprise fallout |
| The Register | Covert code / secret steganography | Technical accountability |
| Ars Technica | Spyware-like tracking | Trust crisis |
| Cybernews | "A nothing burger" (some devs) | Overreaction; standard anti-distillation engineering |
| Anthropic | Undisclosed experiment | Legitimate anti-abuse purpose |
Important nuance: Public reports have not confirmed a data breach or direct financial harm to users. The documented risk is undisclosed monitoring behavior and compliance exposure — plus account-ban risk for flagged proxy users.
Per SCMP and Ars Technica, Alibaba internal notice: "As Claude Code was recently discovered to carry back-door risks... added to a list of high-risk software with security vulnerabilities." Effective July 10, 2026: Claude Code and all Anthropic model products (Sonnet, Opus, Fable) banned; staff directed to internal platform Qoder.
Anthropic previously told the US Senate Banking Committee that Alibaba's Qwen team used ~25,000 fraudulent accounts generating 28.8 million interactions to distill Claude capabilities. A Feb 2026 Peking University / CAS paper reported distillation traces in major Chinese models. Claude Opus 4.8 famously misidentified itself as Qwen/DeepSeek in tests — making Anthropic's China-user fingerprinting especially awkward. This is the broader context for why Anthropic built covert detection in the first place.
Check version: claude --version — if 2.1.91–2.1.196, act now.
Check proxy: echo $ANTHROPIC_BASE_URL — non-official endpoints were the trigger.
Upgrade: npm install -g @anthropic-ai/claude-code@latest or claude update.
Full uninstall (optional): Remove ~/.claude, ~/.claude.json, ~/.cache/claude-code, ~/.config/claude-code on macOS/Linux.
Enterprise egress audit: Scan dev machines for unauthorized AI service endpoints; implement outbound traffic controls per NVDB guidance.
Evaluate alternatives: Qoder, Cursor, Codex CLI, or self-hosted agents depending on compliance needs.
strings.Running Claude Code on a personal laptop alongside production API keys creates blurry permission boundaries and poor egress auditability. For production-grade iOS CI/CD and AI Agent automation, VpsMesh Mac Mini cloud rental provides isolated dedicated macOS nodes with root-level control and 24/7 uptime — a more stable alternative than mixing personal desktops.
Bottom line: Anthropic removed the code in v2.1.197+. Whether that restores trust is your call — some in the tech community view this as a nothing burger (standard anti-distillation engineering); regulators and enterprises view it as a serious undisclosed backdoor risk. Upgrade regardless; let your compliance policy decide whether to keep using the tool.
Disclaimer: Based on publicly available NVDB reports, Anthropic statements, and independent security research. Informational only — not legal or security audit advice.
In v2.1.91–2.1.196, Anthropic shipped undisclosed steganography fingerprinting. NVDB classified it as a backdoor risk; Anthropic called it an anti-distillation experiment, removed in v2.1.197.
v2.1.91 (Apr 2, 2026) through v2.1.196 (Jun 29, 2026). Upgrade to v2.1.197 or later.
No. The hidden fingerprinting only activated when ANTHROPIC_BASE_URL pointed to a non-official proxy or gateway endpoint.
Run claude --version in your terminal, or npm list -g @anthropic-ai/claude-code if installed via npm.
Upgrade immediately if on an affected version. Enterprises with compliance requirements may additionally uninstall and audit outbound traffic. See our Mac Mini rental pricing for isolated dev environments.
It altered the system prompt date separator and swapped visually identical Unicode apostrophe variants to encode timezone and proxy-domain hit signals.
Alibaba classified it as high-risk software after backdoor reports and directed staff to internal tool Qoder, effective July 10, 2026.
No. Changelogs for all affected versions omitted any mention of the mechanism — a central part of the controversy.
Anthropic removed the code in v2.1.197+. Ongoing trust depends on your risk tolerance and compliance policy.
Distillation trains a model on another model's outputs. Anthropic said the mechanism targeted unauthorized resellers and distillation pipelines — part of a broader dispute with Chinese AI labs. More on isolated dev setups in our help center.