v2.1.91–2.1.196 · ANTHROPIC_BASE_URL trigger · Unicode covert channel · Alibaba ban · distillation war
Если вы гоняете Claude Code, выполните claude --version немедленно. Версии 2.1.91–2.1.196 содержали undisclosed код, который через steganography в system prompt fingerprintил proxy-users. 8 июля 2026 NVDB/MIIT классифицировал это как severe backdoor risk; с 10 июля Alibaba запретил tool company-wide. Разбираем trigger ANTHROPIC_BASE_URL, Unicode covert channel, timeline, заявления сторон, distillation context, 6-шаговый runbook и 10 FAQ.
Affected: v2.1.91 (2 апр) – v2.1.196 (29 июн). Fixed: v2.1.197+. Trigger только при non-official ANTHROPIC_BASE_URL — official API users не затронуты. Anthropic: anti-distillation experiment; NVDB: backdoor. Upgrade немедленно; enterprise — audit egress.
Скрытый механизм не мониторил каждого user. Activation condition: ANTHROPIC_BASE_URL указывает на non-official endpoint — enterprise gateway, third-party proxy, API reseller.
| Profile | ANTHROPIC_BASE_URL | Triggered? | Action |
|---|---|---|---|
| Official API user | Unset или api.anthropic.com | Нет | Upgrade до 2.1.197+ |
| Enterprise gateway | Custom proxy endpoint | Да (affected version) | Upgrade + egress audit |
| API reseller user | Third-party domain | Да (147-rule blacklist) | Upgrade + compliance review |
| Version type | Number | Date | Status |
|---|---|---|---|
| First affected | v2.1.91 | 2026-04-02 | Vulnerable |
| Last affected | v2.1.196 | 2026-06-29 | Vulnerable |
| Fixed | v2.1.197 / 2.1.198 | 2026-07-01/02 | Safe |
Proxy endpoint risk: Teams, routing Claude через internal gateways, попадали под match hostname против 147 XOR-obfuscated blacklist entries — Alibaba, Baidu, ByteDance, DeepSeek, Moonshot, Zhipu, MiniMax, known resellers.
~3 месяца undisclosed: Logic persisted across ~20 releases апр–июн без единой changelog entry — core trust violation.
High-privilege tool: Claude Code имеет filesystem R/W и shell execution. Covert behavior в таком tool пересекает line, которую normal telemetry не пересекает.
Claude Code — terminal-based AI coding agent Anthropic. Story arc: covert detection code embedded quietly → developers reverse-engineered → Anthropic apologized and rolled back → Alibaba banned → China NVDB classified severe backdoor risk.
2026: Anthropic публично инвестирует в anti-distillation tech (classifiers, behavioral fingerprints).
2026: Covert detection ships internally в Claude Code — zero public disclosure.
02: v2.1.91 release с detection code в distribution.
30: Reddit user LegitMichel777 exposes steganography; Thereallo публикует technical analysis; Adnane Khan validates v2.1.193/195/196 на GitHub.
01: Engineer Thariq Shihipar на X: March «experiment» против abuse и distillation; promises rollback next day.
Jul 2: v2.1.197 removes code — changelog silent.
Jul 3–4: Reuters и TechCrunch: Alibaba ban Claude Code с 10 июля, switch staff на internal Qoder.
Jul 8: NVDB/MIIT official warning: built-in monitoring mechanism передаёт location и identity-related identifiers без user consent — classified severe backdoor risk.
Tech community использует термин steganography, не telemetry. Separate reporting channel отсутствовал — tool tampered system prompt itself. Adnane Khan: «covert information channel embedded in system prompts».
Trigger: ANTHROPIC_BASE_URL set to any non-official endpoint.
Environment recon: Timezone check на Asia/Shanghai или Asia/Urumqi; proxy hostname match против 147 XOR(key=91) + Base64 obfuscated blacklist.
Covert encoding: Date separator flip 2026-06-30 → 2026/06/30 при China timezone; apostrophe в Today's date is swap между visually identical Unicode variants (U+0027, U+2019, U+02BC, U+02B9) — три boolean flags, ~3 bits environment data в normal-looking English sentence на каждый request.
| Condition | Date format | Apostrophe | Unicode |
|---|---|---|---|
| Default (no match) | 2026-06-30 | ASCII apostrophe | U+0027 |
| China-linked domain/reseller | 2026-06-30 | right single quote | U+2019 |
| AI-lab keyword hit | 2026-06-30 | modifier letter apostrophe | U+02BC |
| Domain + lab | 2026-06-30 | modifier letter prime | U+02B9 |
| + China timezone | 2026/06/30 | (as above) | Asia/Shanghai · Asia/Urumqi |
claude --version echo $ANTHROPIC_BASE_URL npm install -g @anthropic-ai/claude-code@latest claude update
Dispute не про collection data — про steganography без disclosure, targeting specific geographies и commercial rivals.
Thariq Shihipar (Claude Code team) на X: «This is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation. The team has landed stronger mitigations since then and we've actually been meaning to take this down for a while... this should be fully rolled back in tomorrow's release.»
| Source | Framing | Angle |
|---|---|---|
| NVDB / MIIT | Security backdoor risk / severe threat | Compliance и data exfiltration |
| CNBC / Reuters | Built-in monitoring mechanism | Neutral regulatory relay + enterprise fallout |
| The Register | Covert code / secret steganography | Technical accountability |
| Ars Technica | Spyware-like tracking | Trust crisis |
| Cybernews | «A nothing burger» (часть devs) | Overreaction; standard anti-distillation engineering |
| Anthropic | Undisclosed experiment | Legitimate anti-abuse purpose |
Public reports не подтвердили data breach или direct financial harm. Documented risk: undisclosed monitoring behavior, compliance exposure, account-ban risk для flagged proxy users.
Per SCMP и Ars Technica, internal notice Alibaba: «As Claude Code was recently discovered to carry back-door risks... added to a list of high-risk software with security vulnerabilities.» Effective 10 июля 2026: Claude Code и все Anthropic model products (Sonnet, Opus, Fable) banned; staff directed на internal platform Qoder.
Anthropic ранее сообщил US Senate Banking Committee: Qwen team Alibaba использовал ~25 000 fraudulent accounts, генерируя 28,8 млн interactions для distillation Claude capabilities. Feb 2026 paper Peking University / CAS: distillation traces в major Chinese models. Claude Opus 4.8 misidentified себя как Qwen/DeepSeek в tests — делает China-user fingerprinting особенно awkward. Это broader context, почему Anthropic built covert detection.
Check version: claude --version — если 2.1.91–2.1.196, act now.
Check proxy: echo $ANTHROPIC_BASE_URL — non-official endpoints были trigger.
Upgrade: npm install -g @anthropic-ai/claude-code@latest или claude update.
Full uninstall (optional): Remove ~/.claude, ~/.claude.json, ~/.cache/claude-code, ~/.config/claude-code на macOS/Linux.
Enterprise egress audit: Scan dev machines на unauthorized AI service endpoints; outbound traffic controls per NVDB guidance.
Evaluate alternatives: Qoder, Cursor, Codex CLI, self-hosted agents — по compliance needs.
strings.Claude Code на personal laptop рядом с production API keys — blurry permission boundaries и poor egress auditability. Для production-grade iOS CI/CD и AI Agent automation VpsMesh Mac Mini cloud rental даёт isolated dedicated macOS nodes с root-level control и 24/7 uptime — стабильнее, чем mix personal desktops с production secrets. Тарифы: аренда Mac Mini M4; onboarding: центр помощи.
Bottom line: Anthropic removed code в v2.1.197+. Restores trust или нет — ваш call; часть community видит nothing burger (standard anti-distillation engineering); regulators и enterprise — serious undisclosed backdoor risk. Upgrade regardless; compliance policy решает, keep tool или нет.
Disclaimer: на publicly available NVDB reports, Anthropic statements и independent security research. Informational only — не legal или security audit advice.
В v2.1.91–2.1.196 Anthropic shipped undisclosed steganography fingerprinting. NVDB/MIIT classified backdoor risk; Anthropic called anti-distillation experiment, removed в v2.1.197.
v2.1.91 (2 апреля 2026) — v2.1.196 (29 июня 2026). Upgrade до v2.1.197 или новее.
Нет. Hidden fingerprinting активировался только когда ANTHROPIC_BASE_URL указывал на non-official proxy или gateway endpoint.
Run claude --version в terminal или npm list -g @anthropic-ai/claude-code при npm install.
Upgrade immediately на affected version. Enterprise с compliance requirements могут additionally uninstall и audit outbound traffic. Isolated dev environments: цены аренды Mac Mini M4.
Altered system prompt date separator и swap visually identical Unicode apostrophe variants для encode timezone и proxy-domain hit signals.
Alibaba classified high-risk software после backdoor reports; staff directed на internal Qoder с 10 июля 2026.
Нет. Changelogs всех affected versions omitted mention механизма — central part controversy.
Anthropic removed code в v2.1.197+. Ongoing trust depends on risk tolerance и compliance policy организации.
Distillation trains model на outputs другой model. Anthropic said mechanism targeted unauthorized resellers и distillation pipelines — часть broader dispute с Chinese AI labs. Isolated agent hosting: центр помощи VpsMesh.