Claude Code backdoor: стеганография, NVDB/MIIT и затронутые версии — полный runbook 2026

v2.1.91–2.1.196 · ANTHROPIC_BASE_URL trigger · Unicode covert channel · Alibaba ban · distillation war

Терминал с claude --version после NVDB-предупреждения о backdoor Claude Code

Если вы гоняете Claude Code, выполните claude --version немедленно. Версии 2.1.91–2.1.196 содержали undisclosed код, который через steganography в system prompt fingerprintил proxy-users. 8 июля 2026 NVDB/MIIT классифицировал это как severe backdoor risk; с 10 июля Alibaba запретил tool company-wide. Разбираем trigger ANTHROPIC_BASE_URL, Unicode covert channel, timeline, заявления сторон, distillation context, 6-шаговый runbook и 10 FAQ.

TL;DR

Affected: v2.1.91 (2 апр) – v2.1.196 (29 июн). Fixed: v2.1.197+. Trigger только при non-official ANTHROPIC_BASE_URL — official API users не затронуты. Anthropic: anti-distillation experiment; NVDB: backdoor. Upgrade немедленно; enterprise — audit egress.

01

Затронуты ли вы? Version check и матрица exposure

Скрытый механизм не мониторил каждого user. Activation condition: ANTHROPIC_BASE_URL указывает на non-official endpoint — enterprise gateway, third-party proxy, API reseller.

ProfileANTHROPIC_BASE_URLTriggered?Action
Official API userUnset или api.anthropic.comНетUpgrade до 2.1.197+
Enterprise gatewayCustom proxy endpointДа (affected version)Upgrade + egress audit
API reseller userThird-party domainДа (147-rule blacklist)Upgrade + compliance review
Version typeNumberDateStatus
First affectedv2.1.912026-04-02Vulnerable
Last affectedv2.1.1962026-06-29Vulnerable
Fixedv2.1.197 / 2.1.1982026-07-01/02Safe
  1. 01

    Proxy endpoint risk: Teams, routing Claude через internal gateways, попадали под match hostname против 147 XOR-obfuscated blacklist entries — Alibaba, Baidu, ByteDance, DeepSeek, Moonshot, Zhipu, MiniMax, known resellers.

  2. 02

    ~3 месяца undisclosed: Logic persisted across ~20 releases апр–июн без единой changelog entry — core trust violation.

  3. 03

    High-privilege tool: Claude Code имеет filesystem R/W и shell execution. Covert behavior в таком tool пересекает line, которую normal telemetry не пересекает.

02

Timeline: Reddit exposure до NVDB/MIIT warning

Claude Code — terminal-based AI coding agent Anthropic. Story arc: covert detection code embedded quietly → developers reverse-engineered → Anthropic apologized and rolled back → Alibaba banned → China NVDB classified severe backdoor risk.

  1. Feb

    2026: Anthropic публично инвестирует в anti-distillation tech (classifiers, behavioral fingerprints).

  2. Mar

    2026: Covert detection ships internally в Claude Code — zero public disclosure.

  3. Apr

    02: v2.1.91 release с detection code в distribution.

  4. Jun

    30: Reddit user LegitMichel777 exposes steganography; Thereallo публикует technical analysis; Adnane Khan validates v2.1.193/195/196 на GitHub.

  5. Jul

    01: Engineer Thariq Shihipar на X: March «experiment» против abuse и distillation; promises rollback next day.

  6. 02

    Jul 2: v2.1.197 removes code — changelog silent.

  7. 03

    Jul 3–4: Reuters и TechCrunch: Alibaba ban Claude Code с 10 июля, switch staff на internal Qoder.

  8. 08

    Jul 8: NVDB/MIIT official warning: built-in monitoring mechanism передаёт location и identity-related identifiers без user consent — classified severe backdoor risk.

03

Steganography fingerprinting: trigger, recon, covert encoding

Tech community использует термин steganography, не telemetry. Separate reporting channel отсутствовал — tool tampered system prompt itself. Adnane Khan: «covert information channel embedded in system prompts».

  1. 01

    Trigger: ANTHROPIC_BASE_URL set to any non-official endpoint.

  2. 02

    Environment recon: Timezone check на Asia/Shanghai или Asia/Urumqi; proxy hostname match против 147 XOR(key=91) + Base64 obfuscated blacklist.

  3. 03

    Covert encoding: Date separator flip 2026-06-302026/06/30 при China timezone; apostrophe в Today's date is swap между visually identical Unicode variants (U+0027, U+2019, U+02BC, U+02B9) — три boolean flags, ~3 bits environment data в normal-looking English sentence на каждый request.

ConditionDate formatApostropheUnicode
Default (no match)2026-06-30ASCII apostropheU+0027
China-linked domain/reseller2026-06-30right single quoteU+2019
AI-lab keyword hit2026-06-30modifier letter apostropheU+02BC
Domain + lab2026-06-30modifier letter primeU+02B9
+ China timezone2026/06/30(as above)Asia/Shanghai · Asia/Urumqi
bash
claude --version
echo $ANTHROPIC_BASE_URL
npm install -g @anthropic-ai/claude-code@latest
claude update

Dispute не про collection data — про steganography без disclosure, targeting specific geographies и commercial rivals.

04

Заявления Anthropic vs regulatory framing

Thariq Shihipar (Claude Code team) на X: «This is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation. The team has landed stronger mitigations since then and we've actually been meaning to take this down for a while... this should be fully rolled back in tomorrow's release.»

SourceFramingAngle
NVDB / MIITSecurity backdoor risk / severe threatCompliance и data exfiltration
CNBC / ReutersBuilt-in monitoring mechanismNeutral regulatory relay + enterprise fallout
The RegisterCovert code / secret steganographyTechnical accountability
Ars TechnicaSpyware-like trackingTrust crisis
Cybernews«A nothing burger» (часть devs)Overreaction; standard anti-distillation engineering
AnthropicUndisclosed experimentLegitimate anti-abuse purpose
Nuance

Public reports не подтвердили data breach или direct financial harm. Documented risk: undisclosed monitoring behavior, compliance exposure, account-ban risk для flagged proxy users.

05

Alibaba ban, distillation war и 6-шаговый runbook

Enterprise fallout: Alibaba bans Claude Code

Per SCMP и Ars Technica, internal notice Alibaba: «As Claude Code was recently discovered to carry back-door risks... added to a list of high-risk software with security vulnerabilities.» Effective 10 июля 2026: Claude Code и все Anthropic model products (Sonnet, Opus, Fable) banned; staff directed на internal platform Qoder.

Background: Anthropic vs Alibaba distillation dispute

Anthropic ранее сообщил US Senate Banking Committee: Qwen team Alibaba использовал ~25 000 fraudulent accounts, генерируя 28,8 млн interactions для distillation Claude capabilities. Feb 2026 paper Peking University / CAS: distillation traces в major Chinese models. Claude Opus 4.8 misidentified себя как Qwen/DeepSeek в tests — делает China-user fingerprinting особенно awkward. Это broader context, почему Anthropic built covert detection.

6-шаговый action checklist

  1. 01

    Check version: claude --version — если 2.1.91–2.1.196, act now.

  2. 02

    Check proxy: echo $ANTHROPIC_BASE_URL — non-official endpoints были trigger.

  3. 03

    Upgrade: npm install -g @anthropic-ai/claude-code@latest или claude update.

  4. 04

    Full uninstall (optional): Remove ~/.claude, ~/.claude.json, ~/.cache/claude-code, ~/.config/claude-code на macOS/Linux.

  5. 05

    Enterprise egress audit: Scan dev machines на unauthorized AI service endpoints; outbound traffic controls per NVDB guidance.

  6. 06

    Evaluate alternatives: Qoder, Cursor, Codex CLI, self-hosted agents — по compliance needs.

  • 147 obfuscated rules: Proxy blacklist требовал full binary reverse-engineering — не discoverable через strings.
  • ~3 months undisclosed: Zero changelog entries across all affected releases.
  • 25 000 fraudulent accounts: Stated scale Qwen distillation abuse — key context для «experiment» defense.

Claude Code на personal laptop рядом с production API keys — blurry permission boundaries и poor egress auditability. Для production-grade iOS CI/CD и AI Agent automation VpsMesh Mac Mini cloud rental даёт isolated dedicated macOS nodes с root-level control и 24/7 uptime — стабильнее, чем mix personal desktops с production secrets. Тарифы: аренда Mac Mini M4; onboarding: центр помощи.

Bottom line: Anthropic removed code в v2.1.197+. Restores trust или нет — ваш call; часть community видит nothing burger (standard anti-distillation engineering); regulators и enterprise — serious undisclosed backdoor risk. Upgrade regardless; compliance policy решает, keep tool или нет.

Disclaimer: на publicly available NVDB reports, Anthropic statements и independent security research. Informational only — не legal или security audit advice.

FAQ

Claude Code backdoor: 10 FAQ

В v2.1.91–2.1.196 Anthropic shipped undisclosed steganography fingerprinting. NVDB/MIIT classified backdoor risk; Anthropic called anti-distillation experiment, removed в v2.1.197.

v2.1.91 (2 апреля 2026) — v2.1.196 (29 июня 2026). Upgrade до v2.1.197 или новее.

Нет. Hidden fingerprinting активировался только когда ANTHROPIC_BASE_URL указывал на non-official proxy или gateway endpoint.

Run claude --version в terminal или npm list -g @anthropic-ai/claude-code при npm install.

Upgrade immediately на affected version. Enterprise с compliance requirements могут additionally uninstall и audit outbound traffic. Isolated dev environments: цены аренды Mac Mini M4.

Altered system prompt date separator и swap visually identical Unicode apostrophe variants для encode timezone и proxy-domain hit signals.

Alibaba classified high-risk software после backdoor reports; staff directed на internal Qoder с 10 июля 2026.

Нет. Changelogs всех affected versions omitted mention механизма — central part controversy.

Anthropic removed code в v2.1.197+. Ongoing trust depends on risk tolerance и compliance policy организации.

Distillation trains model на outputs другой model. Anthropic said mechanism targeted unauthorized resellers и distillation pipelines — часть broader dispute с Chinese AI labs. Isolated agent hosting: центр помощи VpsMesh.