Who this is for: developers running Claude Code or Claude Desktop who route traffic through proxies, resellers, or custom gateways—and security leads who must separate hype from reproducible claims. What you get: a clear split between Incident A (April 2026 Native Messaging injection) and Incident B (June 30 prompt steganography when ANTHROPIC_BASE_URL is not api.anthropic.com), the full Unicode apostrophe mapping table, cited version numbers, and a six-step protection runbook. Subtitle: from silent browser injection to a covert channel hidden in a single apostrophe—and what it means for trusting AI vendors. Structure: six pain points, incident comparison table, technical breakdown, runbook, hard data, Mac cloud isolation bridge, FAQ.
In late June 2026, a developer reverse-engineering Claude Code published findings on thereallo.dev alleging that when ANTHROPIC_BASE_URL points anywhere other than api.anthropic.com, the CLI quietly rewrites the innocuous Today's date is... line in its system prompt—swapping date separators and visually identical Unicode apostrophes to encode whether you sit in a China timezone and whether your endpoint matches obfuscated domain or AI-lab keyword lists. The thread reached 350+ points on Hacker News and Reddit within hours. That story is Incident B. It is not the same as Incident A from April 2026, when privacy consultant Alexander Hanff reported in The Register that Claude Desktop on macOS silently writes com.anthropic.claude_browser_extension.json into Chrome, Edge, Brave, Arc, Vivaldi, Opera, and Chromium Native Messaging directories—pre-authorizing three extension IDs to call chrome-native-host outside the browser sandbox. Independent consultant Noah Kenney and Antiy Labs reportedly confirmed Hanff's technical claims were reproducible.
Conflating the two events produces bad security decisions. One is a persistent local privilege bridge; the other is an alleged covert classification channel in outbound prompts. Both share a pattern: behavior that users did not knowingly opt into, disclosed only after third-party reverse engineering—not in product docs or changelogs.
ANTHROPIC_BASE_URL. Direct api.anthropic.com traffic was not altered—important for teams deciding whether their official-subscription developers were affected.One-line definition: this is not classic keylogging spyware, but a pair of alleged undisclosed covert channels—local Native Messaging pre-auth plus prompt steganography for proxy users—that security teams should treat as supply-chain and data-governance incidents until independently verified on their own builds.
If you already compared Claude against Cursor and Copilot in our 2026 AI coding assistant decision matrix, add a trust-and-telemetry row to that evaluation. Feature parity tables do not capture whether your CLI rewrites system prompts when you attach a gateway URL.
Use this table in architecture reviews when someone asks "is Claude Code spyware?" without specifying which binary, which OS, and which API route.
| Dimension | Incident A: Claude Desktop | Incident B: Claude Code | Classic spyware | Disclosed vendor telemetry |
|---|---|---|---|---|
| Product | Claude Desktop (macOS GUI) | Claude Code (CLI agent) | Any | Any |
| Alleged behavior | Writes com.anthropic.claude_browser_extension.json; pre-auth 3 extension IDs; chrome-native-host outside sandbox; recreates after delete |
Rewrites Today's date is... with Unicode apostrophe swaps and date separator changes when ANTHROPIC_BASE_URL is custom |
Covert exfiltration of files, keystrokes, credentials | Documented usage metrics, crash reports, opt-out paths |
| Trigger | Install / launch Claude Desktop (per Hanff reporting) | Non-default ANTHROPIC_BASE_URL only |
Ongoing | Stated in ToS / privacy policy |
| Timeline | April 2026 (~4/18 onward) | June 30, 2026 disclosure; removed 2.1.197 (July 1) | N/A | N/A |
| Best label | Unauthorized third-party software modification; dormant high-privilege channel | Undisclosed covert user classification in prompts | Malware | Accepted tradeoff with consent |
Neither row is a reason to panic-delete every Anthropic subscription overnight. They are reasons to document which Anthropic surface each team uses, which API path each environment hits, and what your compliance regime requires when classification signals leave the client without explicit notice.
Anthropic's broader 2026 narrative—Series H funding and IPO positioning, enterprise life-sciences pushes, and export-control restrictions on frontier models—makes trust incidents more material, not less. Public-market and regulated buyers will ask whether "security-first" marketing matches client behavior.
According to the thereallo.dev reverse engineering report, the logic inspects your configured base URL against obfuscated lists. When matched, it encodes classification bits inside the system prompt's date line—human-readable at a glance, machine-readable at the Unicode code-point level.
Step 1 — date separator: if the system timezone is Asia/Shanghai or Asia/Urumqi, the date format switches from hyphens to slashes (for example 2026-06-30 becomes 2026/06/30).
Step 2 — apostrophe swap: the apostrophe in Today's changes to a visually similar character depending on what matched:
| Condition | Date format | Apostrophe | Unicode |
|---|---|---|---|
| Default (no domain or lab match) | 2026-06-30 |
' ASCII apostrophe |
U+0027 |
| China-linked org/reseller domain match | 2026-06-30 |
' right single quotation mark |
U+2019 |
| AI lab keyword match (deepseek, moonshot, zhipu, minimax, baichuan, stepfun, 01ai, etc.) | 2026-06-30 |
ʼ modifier letter apostrophe |
U+02BC |
| Both domain and lab keyword | 2026-06-30 |
ʹ modifier letter prime |
U+02B9 |
+ China timezone (Asia/Shanghai / Asia/Urumqi) |
2026/06/30 (slash separator) |
(as above per match tier) | — |
The domain and keyword lists are allegedly stored as base64 strings XORed with key 91, totaling on the order of 147 domain rules. To a developer skimming logs, the prompt looks ordinary English. To a backend classifier, one apostrophe's code point plus the date separator allegedly reveals proxy usage, timezone context, and reseller or lab affiliation.
Motivation (community consensus, not proven intent): Anthropic, OpenAI, and Google have publicly warned about model distillation—competitors harvesting API outputs to train smaller models. Unauthorized resellers and China-linked gateways are plausible targets. The intent may be defensible; the method is not. Hiding classification in punctuation, obfuscating lists in the binary, and omitting changelog notes when removing the code erodes the trust developer tools require.
If you proxy Claude Code, capture a system prompt fragment and inspect code points—not the rendered glyph:
# Paste the "Today's" token from a captured system prompt
token = "Today's" # replace with your captured string
for ch in token:
print(repr(ch), hex(ord(ch)))
U+0027 is the baseline. U+2019, U+02BC, or U+02B9 on a custom base URL would corroborate the reverse engineering claims on builds prior to 2.1.197. Always pair spot checks with version pinning and hash verification in regulated environments.
Legal wording: this article describes behavior alleged in third-party reverse engineering and journalism. Anthropic has not published a full technical post-mortem on Incident B at the time of writing. Treat claims as reproducible hypotheses until your security team validates them on your exact binary and configuration.
Run these steps in order. Skipping inventory is how teams discover a reseller gateway—and a Native Messaging manifest—only after a compliance questionnaire arrives.
ANTHROPIC_BASE_URL or vendor-supplied proxy URLs.claude --version. Upgrade to 2.1.197 or newer if you rely on Anthropic's July 1 build. Confirm whether production uses api.anthropic.com or a third-party gateway; Incident B allegedly applied only to non-default URLs.~/Library/Application Support/<Browser>/NativeMessagingHosts/com.anthropic.claude_browser_extension.json for Chrome, Edge, Brave, Arc, Vivaldi, Opera, and Chromium profiles. Document contents, extension IDs, and chrome-native-host path. Delete if policy forbids; expect Claude Desktop to recreate the file on restart according to reported behavior.Steps 3 and 5 are where MACCOME customers typically compress calendar risk: a rented Mac Mini M4 cloud node can host Claude Code agents in an isolated macOS image without touching personal Chrome profiles on a travel laptop.
Use these figures with primary links in risk memos. Executives understand HN point counts as developer attention; security councils understand pre-positioned Native Messaging hosts as latent privilege escalation surfaces regardless of current exploit status.
Desktop AI agents combine shell access, browser bridges, and long-lived credentials. Running them on the same MacBook that holds personal email, password-manager extensions, and production API keys maximizes blast radius when any vendor behavior—alleged or confirmed—crosses a trust line.
A dedicated rented Mac Mini M4 cloud node lets you run Claude Code with launchd persistence, MCP sidecars, and SSH access compatible with remote editors—without Claude Desktop touching your daily Chrome profile. You control timezone, base URL policy, and which browser profiles exist on the host at all.
Linux VPS alternatives save money for pure CLI workloads but break when your agent scripts invoke xcodebuild, Apple notarization, or other macOS-only chains already encoded in your repo. The comparison is not Anthropic vs Apple; it is co-mingled laptop vs isolated macOS agent host.
The June 2026 Claude Code steganography story is a case study in defensible goals implemented through indefensible concealment. Anti-distillation and anti-reselling are industry-wide concerns; embedding classification signals in Unicode punctuation, obfuscating rule lists, and omitting changelog disclosure when removing the code is how vendors lose developer trust faster than any benchmark win restores it.
The limits of the obvious alternatives are equally clear: (a) ignoring Incident A leaves Native Messaging pre-auth on macOS workstations with full user privilege; (b) banning Claude Code outright breaks teams that already standardized hooks and MCP workflows; (c) running the same agent stack on a laptop that mixes personal browsers and production secrets magnifies impact when the next undisclosed client behavior surfaces.
When you have inventoried binaries, pinned versions, and decided which base URLs are permitted, the next bottleneck is usually host isolation—not another thread on whether U+02B9 counts as spyware. For SSH in minutes, predictable monthly cost, and a macOS environment where Claude Code agents run with least privilege away from daily browser profiles, a MACCOME dedicated Mac Mini M4 cloud host is usually the better fit: real Apple Silicon, launchd-friendly uptime, and segmentation compatible with long-running agent processes. Compare regions and memory on the Mac Mini rental rates page; operational questions go to the cloud Mac support center.
Default to distrust until behavior is reproducible, documented, and switchable. Demand disclosure over steganography. And treat every desktop agent as high-privilege software—because vendors will keep learning that lesson on your machines until you move agents to boundaries you control.
The Register (Alexander Hanff, Claude Desktop Native Messaging, April 2026); Malwarebytes, gHacks, YOOTA (Incident A follow-on); thereallo.dev (original Claude Code reverse engineering, June 30, 2026); Tech Startups, TMC Insight, Developers Digest, TechTimes (2.1.197 removal coverage); Antiy Labs risk analysis (Claude Desktop browser channel).
FAQ
Is Claude Code spyware?
Not in the classic data-stealing sense, but according to reverse engineering reports, Claude Code embedded an undisclosed, obfuscated fingerprint in system prompts to flag China-linked proxy users when ANTHROPIC_BASE_URL was not api.anthropic.com. Anthropic removed the code in version 2.1.197. The behavior is best described as an undisclosed covert channel rather than traditional spyware.
Does Claude Code track my timezone?
According to the thereallo.dev report, Claude Code checked for Asia/Shanghai and Asia/Urumqi and switched the date separator from hyphens to slashes—but only when you used a non-default ANTHROPIC_BASE_URL. Official api.anthropic.com endpoints were not altered.
What is the apostrophe Unicode trick?
The apostrophe in Today's was allegedly swapped between U+0027 (default), U+2019 (China-linked domain match), U+02BC (AI lab keyword match), and U+02B9 (both domain and lab match) to encode classification signals inside the system prompt date line.
Why did Anthropic add this?
Community analysis and Hacker News discussion suggest the likely goal was anti-distillation and detection of unauthorized API reselling—a legitimate objective implemented in an allegedly hidden, obfuscated way.
Is this the same as the Claude Desktop spyware story?
No. Incident A (April 2026) involved Claude Desktop on macOS silently writing com.anthropic.claude_browser_extension.json Native Messaging manifests into browsers, disclosed by Alexander Hanff in The Register. Incident B (June 30, 2026) was Claude Code prompt steganography when using a custom base URL.
Are regular Claude web app users affected?
Incident B only triggered in Claude Code when ANTHROPIC_BASE_URL pointed somewhere other than api.anthropic.com. Users on the official web app or CLI with the default endpoint were not subject to the Unicode apostrophe encoding described in reverse engineering reports.
How do I remove Claude Desktop Native Messaging manifests?
On macOS, look under ~/Library/Application Support/<browser>/NativeMessagingHosts/ for com.anthropic.claude_browser_extension.json in Chrome, Edge, Brave, Arc, Vivaldi, Opera, and Chromium profiles. Delete as needed; according to reports, Claude Desktop may recreate the file on restart.
Which Claude Code versions contained the fingerprint code?
According to reverse engineering on thereallo.dev, versions 2.1.193, 2.1.195, and 2.1.196 contained the logic. Anthropic removed it in 2.1.197 released July 1, 2026; the public changelog did not mention the removal.