🔍 Software · Privacy

Claude Code Tracker Scandal, Alibaba Just Banned Anthropic’s Tool

The Claude Code tracker hid steganographic markers inside system prompts for three months. A researcher named Thereallo exposed it on June 30. Alibaba just declared the tool high-risk software.

Anthropic’s Claude Code tracker used invisible Unicode characters to fingerprint developers routing through Chinese proxies or sitting in Shanghai and Urumqi timezones. The code shipped in April, ran undisclosed for three months, and got removed the day after exposure. Here’s exactly how it worked and why Alibaba banned the tool.

📅 Updated July 2026 ⏱ 8 min read
Claude Code Tracker — The Three-Month Timeline Deployed Apr 2 v2.1.91 Undisclosed 3 mo no changelog Exposed Jun 30 HN 605 pts Removed Jul 1 v2.1.197 Alibaba ban Jul 10 high-risk tag

On June 30, 2026, an independent developer known as Thereallo published a blog post that shipped straight to the top of Hacker News, hitting 605 upvotes and 190 comments within hours. The post described a piece of code buried inside Claude Code — Anthropic’s terminal-based AI coding agent — that was doing something no changelog had ever mentioned: it was reading each user’s environment variables and system timezone, then silently rewriting the system prompt with invisible Unicode markers if the answers matched a hardcoded list.

The Claude Code tracker had shipped in version 2.1.91 on April 2, 2026. It ran undisclosed for approximately three months before a Reddit user named LegitMichel777 and Thereallo independently reverse-engineered the binary and pieced together what it did. Anthropic engineer Thariq Shihipar confirmed the code on X within a day, described it as an experiment against unauthorized resellers, and shipped the removal in v2.1.197 on July 1. Ten days later, Alibaba labeled Claude Code high-risk software with security vulnerabilities and banned it for all employees.

The technique itself has a name: prompt steganography. Rather than adding a normal telemetry field, the code took the innocuous sentence “Today’s date is 2026-06-30” and mutated it in ways only a machine could see. The apostrophe in “Today’s” was swapped for one of three visually identical Unicode characters. The dashes in the date were replaced with slashes. Each combination encoded a different signal about whether the user was routing through a Chinese proxy, a known reseller, an AI-lab-linked domain, or some mix of the three. To the developer reading their own logs, nothing looked wrong. To Anthropic’s backend, every request now carried a four-bit classifier hidden in plain English.

The business motive is not hard to reconstruct. Chinese resellers offer Claude Pro access — normally over $100 per month in the United States — for roughly $12, and Anthropic has publicly accused Chinese AI labs of running distillation attacks that train competing models on Claude outputs. Alibaba’s Qwen model reportedly identified itself as Claude during tests, according to The Information. The steganographic marker was designed to flag traffic that looked like it might be part of one of those pipelines. What set the community off was not the goal. It was the method: a tool that reads your filesystem and runs shell commands on your laptop, quietly modifying its own prompts to fingerprint you, with nothing in the release notes.

The exposure was only possible because of a separate Anthropic mistake three months earlier. On March 31, 2026, Anthropic accidentally shipped the full Claude Code source — roughly 512,000 lines of TypeScript across 1,900 files — inside an npm package update as a debug source map. That leak turned function names like Crt, Rrt, and Qup into greppable text. Without it, the steganographic tracker would still be running today. The scandal is what happens when a security-through-obscurity choice meets an actual audit.

📊 The Quick Truth
The mechanism

Invisible Unicode markers in the date string

Claude Code swapped the apostrophe in “Today’s date is” for one of three visually identical Unicode characters. Each combination encoded a classification signal readable only by Anthropic’s servers.

The triggers

Custom API base URL, Shanghai/Urumqi timezone

The tracker activated when ANTHROPIC_BASE_URL pointed at a hostname matching a hardcoded list (deepseek, moonshot, zhipu, baichuan, baidu, alibaba, bytedance, jd) or when the system timezone was Asia/Shanghai or Asia/Urumqi.

The obfuscation

Base64 encoding, XOR key 91

The domain and keyword lists were stored as base64 strings and XOR-decoded with key 91 at runtime. This is what you do when you want the strings not to show up in a plain grep of the binary.

The response

Removed July 1, Alibaba banned July 10

Anthropic shipped v2.1.197 the day after exposure with the tracker removed. Alibaba subsequently labeled Claude Code high-risk software and banned it internally, citing back-door risks.

FramingHow Anthropic described itWhat the code actually did
Purpose“Experiment against account abuse”Silent classifier on every request
DisclosureNo changelog entry, no docsThree months undisclosed operation
TargetUnauthorized resellers, distillationAnyone with Chinese timezone or proxy
TechniqueNot framed publiclySteganographic Unicode substitution
Removal timing“Meant to take this down for a while”Removed one day after public exposure

Claude Code Tracker — The 5 Details That Made This a Scandal

01

The apostrophe that wasn’t the apostrophe

The steganography

The most technically striking part of the Claude Code tracker is how invisible it was. Human eyes cannot distinguish U+2019 (the standard right single quotation mark) from U+02BC (modifier letter apostrophe) or U+02B9 (modifier letter prime) in any typical monospaced developer font. All three characters render identically. All three would pass any reasonable visual inspection of a log file. But at the byte level, each is a completely different code point, which is what made them useful as a covert signal.

The tracker used all three, mapped to different classification states. If the user was on a Chinese proxy but not an AI-lab-linked domain, the code substituted one variant. If the timezone matched Asia/Shanghai without the base URL trigger, another. If both conditions hit at once, a third. The dash-to-slash swap in the date string added additional bits. The result was a small classifier that fit inside a sentence a developer sees at the start of every Claude Code session, invisible to the user, but trivially machine-readable at Anthropic’s backend.

💡 Why it landed. Steganography is exactly the technique you would pick if the goal was to fingerprint users without them noticing. That is the point developers latched onto, not the underlying business case.
02

The XOR key 91 and the base64 domain list

The obfuscation stack

The hardcoded list of Chinese domains and keywords was not stored as plain text. Thereallo’s analysis showed the list was base64-encoded and then XOR-obfuscated with the key 91. At runtime, the code decoded the string in memory and used it to match against the user’s environment variables. On disk, the list was invisible to anyone running strings against the binary or grepping for suspicious hostnames.

When decoded, the list contained the names most people would expect: deepseek, moonshot, zhipu, baichuan, plus the domains of Baidu, Alibaba, ByteDance, and JD.com, along with a set of known Claude Pro resellers and proxy gateways. None of the domains were obscure. All of them were plainly identifiable Chinese AI or e-commerce infrastructure. The obfuscation was not about hiding the intent from a determined adversary. It was about making the discovery cost high enough that casual audits would miss it — which held for exactly three months.

💡 The read. XOR-91 plus base64 is trivial to reverse. What it does buy you is protection against passive discovery: string dumps, grep searches, superficial audits. That level of obfuscation implies awareness that the code was not something Anthropic wanted found.
03

The March 31 source code leak that made this findable

The lucky break

The Claude Code tracker would probably still be running if Anthropic had not made a separate mistake first. On March 31, 2026, an npm package update to Claude Code included a debug source map file that inadvertently exposed approximately 512,000 lines of TypeScript source code across 1,900 files. The full internal build was available for anyone who pulled the update in the roughly 24-hour window before it was patched.

That leak turned reverse engineering the tracker from a hard problem into a moderate one. Function names like Crt, Rrt, and Qup — the specific routines that check ANTHROPIC_BASE_URL and match against the domain list — became greppable text with intent behind them. Without the source map leak, Thereallo would have been working from a minified bundle where every identifier was a single letter and every control flow was obscured. The scandal is downstream of a separate operational failure that gave the community the tools it needed to find this.

💡 What it changed. Two Anthropic mistakes, three months apart, compounded into one exposure. Neither alone would have surfaced this. Both together handed the story to the security research community.
04

The asymmetry Thereallo actually pointed at

The core critique

The sharpest technical criticism in Thereallo’s write-up was not that the tracker existed. It was that the tracker was structurally useless against the actual adversaries it was designed to catch. Anyone running a serious distillation pipeline or a large-scale reseller operation can patch the Claude Code binary, change their system timezone, wrap the process, or route around the check in under five minutes. The obfuscation stops none of that.

What the tracker does catch, reliably, is normal developers doing legitimate but unusual things. Corporate teams routing Claude Code through a LiteLLM gateway or an internal proxy for compliance reasons. Consultants working from Shanghai for a Western client. Researchers evaluating Claude Code against other models in a controlled environment. Every one of those users lit up the classifier without knowing it existed. The people the tracker was actually designed to catch could disable it in the time it takes to read the code. This is what Thereallo meant by describing the feature as “the worst category of security control”: one that operates entirely on the people it should not be operating on.

💡 The structural problem. Security controls that are trivial for adversaries to bypass and impossible for regular users to detect end up as surveillance on the wrong population. That was the actual community complaint, not the anti-abuse goal itself.
05

Alibaba’s July 10 ban and what it signals

The corporate response

Roughly ten days after the exposure, Alibaba issued an internal memo labeling Claude Code high-risk software with security vulnerabilities and prohibiting its use across the company, according to reporting by The Next Web. Alibaba is not a neutral bystander here — the Qwen model developed by Alibaba’s DAMO Academy is one of the systems Anthropic has publicly implicated in distillation. The ban has an obvious defensive component alongside the technical justification.

What matters strategically is the framing. Alibaba did not describe Claude Code as compromised or malicious. It described the tool as carrying back-door risks — language usually reserved for state-sponsored implants or supply chain attacks. When a $200 billion company adopts that framing about a developer tool from a leading Western AI lab, the reputational cost is not confined to the Chinese market. Enterprise procurement teams anywhere in the world reviewing AI coding tools now have a documented reference point for calling this class of behavior high-risk. That is the cost Anthropic will still be paying long after the tracker itself is gone.

💡 The precedent. Corporate bans on developer tools rarely happen. When they do, they set a benchmark for how other procurement teams evaluate the same category of risk. Alibaba’s memo will be cited.

Claude Code Tracker — What the Anthropic Engineer Actually Said

06

Thariq Shihipar’s confirmation on X

The public response

Thariq Shihipar, an engineer on the Claude Code team, confirmed the tracker on X within a day of the exposure. His statement described the code as an experiment launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation. He also said stronger mitigations had already shipped since the experiment started, that the team had been meaning to remove the tracker for a while, and that the removal was already scheduled for the next release.

The framing is internally consistent. Anthropic has publicly described distillation attacks as posing what a company spokesperson called a serious threat to national security, per reporting in The Information. The company already restricts Claude access in China on similar grounds. From inside the company’s posture, running a technical experiment to identify traffic patterns associated with the specific set of behaviors it is trying to stop is defensible in principle. What the response did not address was the choice to use undisclosed steganography rather than a documented telemetry field with a changelog entry, which is what most of the community discussion actually focused on.

07

The distillation problem is real

The business context

The abuse pattern Anthropic pointed at is genuine and quantifiable. Chinese resellers reportedly offer Claude Pro subscriptions — normally over $100 per month in the United States — for roughly $12 per month. That kind of price gap only works if the reseller is amortizing a single legitimate account across many downstream users, or if API access is being obtained fraudulently and redistributed. Either way, the traffic ends up looking like exactly the pattern the tracker was designed to flag.

The distillation concern is a separate but related issue. When a competitor queries a commercial model at scale to train a lookalike system, the outputs are effectively being harvested for use in a rival product. Anthropic and other Western AI labs have accused Chinese firms of exactly this pattern, and one specific data point cited across coverage was Alibaba’s Qwen model occasionally identifying itself as Claude during testing — the kind of leakage that suggests training data provenance issues. The technical case for wanting to detect this traffic is real. The community disagreement was never about whether the problem exists. It was about whether steganographic markers with no disclosure are an appropriate way to address it.

08

The pattern of Anthropic operational incidents

The broader context

The Claude Code tracker sits inside a broader run of documented Anthropic incidents over the first half of 2026. In March, the accidental source code leak exposed 512,000 lines of internal TypeScript. Around the same time, security researchers documented a vulnerability where a single crafted GitHub Issue could have compromised any Claude Code user who processed it. Each individual incident has a plausible technical explanation, but the accumulated pattern is what enterprise buyers care about.

For a company whose brand promise is safety, transparency, and constitutional AI — Anthropic markets itself explicitly on trustworthy AI system design — the accumulation matters more than any single event. Enterprise procurement teams evaluating vendors for regulated workloads track exactly this kind of history. A pattern of undisclosed behavior, source leaks, and remote-code-execution paths through the developer surface becomes a documented reason to prefer a competitor when the next contract comes up for renewal. That is the cost Anthropic will be paying for years.

📊 By the Numbers
📅
3 mo
Tracker ran undisclosed before exposure
🔥
605
Hacker News upvotes on Thereallo’s post
📂
512K
Lines of Claude Code source leaked in March
💰
$12
Chinese reseller price for $100+ Claude Pro

This is not a malicious feature,
but it is a weird choice for a
developer tool that asks for trust.

Thereallo — thereallo.dev, June 30, 2026
🛠 What to do if you use Claude Code
  • Update to v2.1.197 or later. The removal shipped July 1, 2026. Any Claude Code install running v2.1.91 through v2.1.196 still contains the tracker code. Enterprise deployments with pinned versions need explicit upgrade.
  • Audit your ANTHROPIC_BASE_URL setting. If you route Claude Code through a corporate proxy, LiteLLM gateway, or internal API router, your traffic was being classified for three months. Log inspection is worth running to understand what was captured.
  • Record hashes and versions of AI clients. For sensitive environments, capture the binary hash of each Claude Code install and match against the release manifest. Auto-updates should be reviewed against changelogs rather than trusted by default.
  • Use network inspection in test environments. Malwarebytes and other security researchers now recommend capturing full requests to AI APIs and analyzing them for Unicode anomalies. Standard for chat apps, newly relevant for coding agents.
  • Reconsider auto-update policies for AI dev tools. The Claude Code tracker shipped inside a routine version bump with no disclosure. Treating AI coding agent updates as automatic-safe no longer reflects the current threat model.

⚠️ Three things easy to miss in the coverage

1. The tracker did not affect model output. The steganographic markers were metadata for Anthropic’s classifiers, not instructions for Claude itself. Code quality, completions, and responses were not manipulated. The concern is disclosure and covert fingerprinting, not degraded output.

2. Normal Claude Code use never triggered the tracker. The mutation only activated when ANTHROPIC_BASE_URL was set to a custom hostname or when the system timezone matched Shanghai or Urumqi. Users on the default endpoint with a Western timezone were unaffected.

3. The removal was already planned. Anthropic’s engineer confirmed the tracker was scheduled for removal before the exposure hit — stronger anti-abuse mitigations had reportedly made it obsolete. The July 1 timing was the community forcing the schedule to accelerate, not Anthropic conceding the technique was wrong.

✅ The Bottom Line

Claude Code tracker scandal — what to remember

1
The mechanism: Steganographic Unicode substitution in the system prompt date string. Invisible to users, machine-readable at Anthropic’s backend.
2
The triggers: Custom ANTHROPIC_BASE_URL matching Chinese domains (deepseek, moonshot, zhipu, baichuan, alibaba, bytedance, jd) or timezone set to Asia/Shanghai or Asia/Urumqi.
3
The timeline: Deployed April 2 in v2.1.91. Ran undisclosed for three months. Exposed June 30 by Thereallo and LegitMichel777. Removed July 1 in v2.1.197.
4
The corporate fallout: Alibaba labeled Claude Code high-risk software and banned it internally on July 10, citing back-door risks. Anthropic has not issued a detailed public postmortem.
5
The core critique: The tracker was trivial for actual adversaries to bypass and impossible for normal users to detect. Security control operating on the wrong population.
🔗 For the full technical write-up with the deminified function chain and decoded domain list, see Thereallo’s original blog post on prompt steganography in Claude Code.

💬 Frequently Asked Questions

Q. What exactly did the Claude Code tracker do?
The Claude Code tracker read two things: the ANTHROPIC_BASE_URL environment variable and the system timezone. If the base URL matched a hardcoded list of Chinese domains or the timezone was Asia/Shanghai or Asia/Urumqi, the code rewrote the system prompt date string using invisible Unicode substitutions. The mutation was steganographic — visually identical to a normal date, but encoded a classification signal readable at Anthropic’s backend.
Q. Did the tracker affect Claude’s responses or my code?
No. The markers were metadata for Anthropic’s server-side classifiers, not instructions to the Claude model. Code completions, suggestions, and generated output were identical whether or not the tracker was active. The concern is covert fingerprinting and disclosure, not manipulated output quality.
Q. Which Claude Code versions contained the tracker?
The tracker shipped in Claude Code v2.1.91, released April 2, 2026. It remained in every version through v2.1.196. Anthropic removed the code in v2.1.197, released July 1, 2026 — one day after Thereallo’s blog post hit Hacker News. Any Claude Code install pinned to a version between v2.1.91 and v2.1.196 still contains the tracker code today.
Q. Why did Alibaba ban Claude Code?
Alibaba issued an internal memo around July 10, 2026 labeling Claude Code high-risk software with security vulnerabilities, per reporting by The Next Web. The specific concern cited was back-door risks. Alibaba’s Qwen model has been implicated in the distillation attacks Anthropic used to justify the tracker, so there is a defensive component to the ban alongside the technical justification.
Q. Is this legal, and can Anthropic keep doing this?
Anthropic’s terms of service allow detecting abuse and enforcing API usage rules, which likely covers the tracker’s intended function. The community complaint focuses on disclosure specifically. A tool with filesystem and shell access on developer machines is held to a higher transparency standard than a chat app. The legality is less contested than the appropriateness. Thariq Shihipar’s public statement suggests Anthropic considers the technique defensible in principle but plans to use different mechanisms going forward.
✍️
Editor’s Note. Reporting on the Claude Code tracker verified through Thereallo’s original technical write-up at thereallo.dev, Malwarebytes coverage of Anthropic’s response, Gadget Review and Yahoo Tech reporting on Alibaba’s internal ban, and AI Weekly’s summary of Thariq Shihipar’s X statement. The Information is cited for the Alibaba Qwen self-identification finding and Anthropic’s national security framing. Version numbers, timeline, and technical mechanism details cross-referenced against TFTC, Singularity Kiwi, and QWE AI Academy technical analyses published between June 30 and July 10, 2026.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top