Claude Code: бэкдор и стеганография (v2.1.91–2.1.196) — технический разбор и руководство для разработчиков

~19 мин чтения · MACCOME

Аудитория: разработчики, reverse engineers и security-команды, использующие Claude Code через корпоративные gateway или API-реселлеров. 8 июля 2026 платформа NVDB Минпромторга КНР квалифицировала Claude Code v2.1.91–2.1.196 как несущий серьёзный риск бэкдора. В статье: полный таймлайн, пункты bulletin NVDB, условие триггера ANTHROPIC_BASE_URL, трёхфазный pipeline (recon → rule match → prompt injection), 147 правил XOR(91)+Base64, Unicode code-point mapping, позиции сторон, таблица медиа-формулировок, команды проверки/апгрейда/удаления, checklist 6+4 и hard data для security brief.

bolt

TL;DR — 30 секунд

  • Регулятор: NVDB 8 июля — встроенный monitoring без согласия; немедленный audit, uninstall или upgrade.
  • Затронутые build: v2.1.91 (2026-04-02) — v2.1.196 (2026-06-29); fix: v2.1.197+ (01–02 июля).
  • Триггер: логика не для всех пользователей — только при ANTHROPIC_BASE_URL != api.anthropic.com.
  • Enterprise fallout: Alibaba internal ban с 10 июля, миграция на Qoder.
  • Сейчас: claude --version + echo $ANTHROPIC_BASE_URL → upgrade/uninstall при попадании в диапазон.

Шесть технических разрывов доверия: от Reddit до NVDB

8 июля 2026 NVDB опубликовал risk advisory с формулировкой серьёзный риск бэкдора — первый официальный регуляторный verdict. Цепочка на нижнем уровне: covert detection в марте → ship в v2.1.91 (апрель) → ~20 silent releases → reverse engineering 30 июня → rollback v2.1.197 → Alibaba ban → NVDB 8 июля. Детальный Unicode mapping и Incident A/B — в статье о стеганографии Claude Code; здесь — regulatory spine + remediation runbook.

  1. Clickbait vs reverse engineering consensus: заголовки «Claude Code следит за всеми китайскими пользователями» ложны. Триггер — только non-default ANTHROPIC_BASE_URL. Путаница ломает credibility security team и вводит в заблуждение devs на прямом API.
  2. ~88 дней zero disclosure: logic с 2 апреля, ~20 итераций, ни одной строки в changelog. Удаление 1 июля в v2.1.197 — тоже без явного announcement. Trust-but-verify policy failed.
  3. Steganography, не telemetry channel: нет отдельного exfil socket. Механизм мутирует system prompt — date line + homoglyph apostrophe. Adnane Khan: covert channel embedded in system prompts, не documented usage telemetry.
  4. 147 obfuscated rules: domain/AI-lab keyword list в Base64 + XOR key 91 — Alibaba, Baidu, ByteDance, DeepSeek, Moonshot, Zhipu, MiniMax и др. Простой strings на npm bundle не извлекает — нужен full binary RE.
  5. High-privilege CLI context: filesystem R/W, shell exec, MCP. Undisclosed client-side fingerprint на таком surface — backdoor risk в compliance review, не «обычная аналитика».
  6. Supply-chain enforcement: Reuters/TechCrunch — Alibaba ban с 10 июля. Классификация «personal dev tool» устарела.

One-liner: не подтверждённый mass data breach, а undisclosed classification mechanism + regulatory label + Fortune-scale ban. Приоритет: version + base URL audit, не panic ban и не игнор.

В матрице AI-ассистентов 2026 добавьте строку «covert client behavior / regulatory incident» — SWE-bench не ловит system prompt tampering на proxy path.

Таймлайн: февраль — 10 июля 2026

  • Февраль 2026: Anthropic — инвестиции в anti-distillation (classifiers, behavioral fingerprints).
  • Март 2026: silent deploy covert detection, zero public disclosure.
  • 2026-04-02: v2.1.91 — detection code в production stream.
  • 04-02 — 06-29: ~20 releases, logic persists, changelog silent.
  • 2026-06-29: v2.1.196 — upper bound affected range.
  • 2026-06-30: Reddit LegitMichel777; Thereallo на thereallo.dev; Adnane Khan GitHub RE — v2.1.193/195/196 confirmed.
  • 2026-07-01: Thariq Shihipar на X — «experiment» марта, promise rollback tomorrow.
  • 2026-07-02: v2.1.197 removes code; changelog не упоминает removal.
  • 2026-07-03/04: Alibaba internal notice — ban с 10 июля, pivot Qoder.
  • 2026-07-08: NVDB official bulletin.
  • 2026-07-10: Alibaba ban effective.

NVDB bulletin: regulatory framing

По IT之家, 新京报:

  • Threat class: built-in monitoring, exfil sensitive data without consent.
  • Payload narrative: geolocation, identity markers — maps to steganography-encoded timezone/proxy/lab signals.
  • Affected builds: v2.1.91 — v2.1.196 (02.04 — 29.06.2026).
  • Remediation: full dev endpoint scan → immediate uninstall or upgrade → egress control + traffic monitoring.
  • Wording: «серьёзный риск бэкдора» vs Anthropic «experiment».

Кто реально в scope: ANTHROPIC_BASE_URL как gate

Самый критичный nuance: механизм не universal.

Activation predicate (RE consensus): env ANTHROPIC_BASE_URLnon-official endpoint — enterprise API gateway, third-party proxy, API reseller, self-hosted reverse proxy. Default api.anthropic.com subscribers не входили в code path.

Priority actors:

  • Команды на domestic resellers / aggregation gateways
  • DevOps с custom base URL в CI/CD и agent hosts
  • Организации с compliance proxy — client-side fingerprint возможен даже при «легитимном» proxy
  • Любой host на 2.1.91–2.1.196 без upgrade до 2.1.197+

Lower risk: direct official API, upgraded build, no non-default base URL — но проверьте: global npm install drift частая.

底层机制: recon → rule engine → prompt steganography

Три фазы pipeline. Полный Unicode table и A/B split — deep dive по стеганографии.

Phase 1 — Environment reconnaissance

  1. Timezone probe: Asia/Shanghai | Asia/Urumqi
  2. Hostname denylist match: parse ANTHROPIC_BASE_URL hostname vs embedded list

147 entries (LegitMichel777, Thereallo, Adnane Khan, Vincent Schmalbach): China tech domains, AI lab keywords (DeepSeek, Moonshot, Zhipu, MiniMax, Baichuan, StepFun, 01.AI), known reseller gateways. Storage: Base64 decode → XOR(91) — defeats naive strings grep.

Phase 2 — Steganographic encoder (~3 bit)

Core controversy: no dedicated telemetry SDK — in-place mutation of routine system prompt line Today's date is...:

  • Date separator (1-bit class signal): China TZ hit → 2026-06-30 (hyphen) becomes 2026/06/30 (slash)
  • Homoglyph apostrophe (multi-bit flags): Today's apostrophe swapped among visually identical code points encoding domain hit / lab keyword hit / combined hit

~3 bits environment metadata в одной английской строке — shipped with every API request to Anthropic inference backend for server-side decode (inferred).

Phase 3 — Server-side classifier (inferred)

Public sources не раскрывают server consumer logic. Community inference: unauthorized reseller ID, distillation pipeline flagging, account risk scoring. Documented downstream: account ban risk, не confirmed user file exfiltration — не раздувайте до «data leak scandal».

Граница с normal telemetry: четыре отличия

  1. Channel: steganography in system prompt vs documented telemetry SDK
  2. Disclosure: ~3 months zero changelog; silent removal
  3. Targeting: geo + competitor/reseller fingerprinting, не aggregate usage metrics
  4. Privilege context: FS R/W + shell — lower tolerance for invisible behavior

Cybernews — «a nothing burger» (anti-distillation engineering). Представляем обе стороны.

Позиции: NVDB, Anthropic, Alibaba

NVDB / MIIT

Серьёзный риск бэкдора; monitoring без consent; audit endpoints; uninstall/upgrade; egress hardening.

Anthropic / Thariq Shihipar

format_quote

"This is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation. The team has landed stronger mitigations since then and we've actually been meaning to take this down for a while... this should be fully rolled back in tomorrow's release."

Framing: experiment, anti-reseller, anti-distillation. Senate letter context: Qwen ~25 000 fraud accounts, 28,8M interactions — Anthropic Series H / IPO context.

Alibaba (effective 10 июля 2026)

SCMP, Ars Technica: "As Claude Code was recently discovered to carry back-door risks... added to a list of high-risk software with security vulnerabilities." Scope: Claude Code + Anthropic models (Sonnet, Opus, Fable); replacement Qoder.

Медиа-формулировки: backdoor vs experiment vs steganography

Источник Ключевой термин Акцент
NVDB / MIIT backdoor / серьёзная угроза Compliance, exfil risk, official directives
CNBC / Reuters security backdoor / built-in monitoring Neutral wire + corporate fallout
The Register covert code / secret steganography Technical accountability
Ars Technica spyware-like tracking Trust crisis
Cybernews «a nothing burger» Anti-distillation; overstated outrage
Anthropic experiment / anti-abuse Defensive measure

Контекст: AI distillation war 2026

  • Anthropic geo-blocks China; bypass via VPN, foreign billing, proxies
  • Февраль 2026: PKU/CAS paper — distillation traces в Chinese foundation models
  • Accusations vs DeepSeek, Moonshot, MiniMax, Alibaba; Qwen: 25K accounts, 28,8M interactions
  • Opus 4.8 self-ID as Qwen/DeepSeek — double-standard narrative
  • Domestic stacks accelerate; Alibaba Qoder as tooling-layer pivot

Community consensus: anti-distillation intent defensible; delivery — homoglyph steganography, obfuscated denylist, silent changelog — fails transparency test faster than any benchmark.

fact_check

Fact-check — пять пунктов перед decision

  • Не universal monitoring: только non-official ANTHROPIC_BASE_URL.
  • Fix build: majority sources — v2.1.197 (1 июля); часть CN media — v2.1.198. Pin 2.1.197+.
  • «Backdoor» = regulatory label; RE community — covert channel / fingerprint; Anthropic — experiment.
  • Primary harm vector — account enforcement, не confirmed mass credential exfil.
  • Version date micro-skew на v2.1.196 — trust claude --version output.

Version matrix

Тип Version Дата Примечание
First ship with covert logic v2.1.91 2026-04-02 Detection enters distribution
RE-verified builds v2.1.193 / 2.1.195 / 2.1.196 2026-06 Khan, Thereallo confirmed
Last affected v2.1.196 2026-06-29 NVDB upper bound
Fixed v2.1.197+ 2026-07-01/02 Code removed; changelog silent

Unicode apostrophe mapping — 3 bit в punctuation

Условие Date format Apostrophe Code point
Default 2026-06-30 ' ASCII U+0027
China-linked reseller domain 2026-06-30 RIGHT SINGLE QUOTATION MARK U+2019
AI lab keyword (deepseek, moonshot, zhipu…) 2026-06-30 ʼ MODIFIER LETTER APOSTROPHE U+02BC
Domain + lab dual match 2026-06-30 ʹ MODIFIER LETTER PRIME U+02B9
+ China timezone 2026/06/30 (per match tier above)
python
# Inspect code points in captured "Today's" token from system prompt
# U+0027 = default | U+2019 = domain | U+02BC = lab | U+02B9 = both
token = "Today's"  # replace with captured fragment
for ch in token:
    print(repr(ch), hex(ord(ch)))

Команды: version, base URL, upgrade, uninstall

bash
# 1. Check Claude Code version
claude --version

# 2. Check proxy trigger endpoint
echo $ANTHROPIC_BASE_URL

# 3. Upgrade via global npm
npm install -g @anthropic-ai/claude-code@latest

# 4. Built-in updater
claude update

Residual paths для полного uninstall:

  • macOS / Linux: ~/.claude, ~/.claude.json, ~/.cache/claude-code, ~/.config/claude-code
  • Windows: %USERPROFILE%\.claude, %USERPROFILE%\.claude.json и cache dirs

Enterprise: uninstall — не финал; egress audit dev endpoints на unauthorized AI API destinations.

Checklist: 6 шагов (personal) + 4 (enterprise)

Individual developer

  1. Version probe: claude --version — 2.1.91–2.1.196 = high risk.
  2. Base URL audit: echo $ANTHROPIC_BASE_URL — non-empty && != api.anthropic.com = proxy path history.
  3. Immediate upgrade: target v2.1.197+.
  4. Optional purge: npm uninstall + delete ~/.claude*.
  5. Prompt capture (optional): test account system prompt fragment vs Unicode table — steganography deep dive.
  6. Toolchain decision: isolate agent off daily-driver laptop.

IT / Security

  1. Asset inventory: scan dev laptops, CI runners, agent hosts; export ANTHROPIC_BASE_URL configs.
  2. Version remediation: force 2.1.197+ or NVDB-aligned uninstall; MDM pin anti-downgrade.
  3. Egress audit: dev segment logs; cross-ref reseller domains from 147-rule set via threat intel.
  4. Vendor review: update AI tooling allowlist; add «regulatory / covert client» dimension to assistant matrix.

Hard data для security brief

  • Rule set scale: ~147 Base64+XOR(91) hostname/keyword rules in v2.1.193/195/196, silently removed v2.1.197 (2026-07-01) — deliberate infrastructure.
  • Community signal: 2026-06-30 exposure — 350+ HN upvotes, 100+ comments — supply-chain tier, не forum rumor.
  • Enterprise anchor: Alibaba ban effective 2026-07-10 — Fortune-scale supply-chain action.

Вывод: daily laptop vs isolated agent host

Core tension: defensible goal via indefensible concealment — NVDB says backdoor, Anthropic says experiment, RE community says steganography. Wording tension = 2026 AI tooling supply-chain risk in miniature.

Alternative limits: (a) panic ban ломает standardized MCP hooks; (b) skip version/base URL audit = compliance gap; (c) high-privilege agent на laptop с personal browser + production API keys максимизирует blast radius при следующем undisclosed client behavior.

После version pin, base URL policy и egress audit bottleneck — host placement. Dev machine для экспериментов; production agent surface — dedicated macOS node: no sleep jitter, launchd uptime, segmented network.

Для SSH за минуты, predictable monthly cost и isolated macOS где Claude Code работает с least privilege вне personal Chrome и production secretsMACCOME dedicated Mac Mini M4 cloud host: real Apple Silicon, agent-compatible network segmentation. Тарифы: аренда Mac Mini; ops: центр помощи.

Trust but verify — требуйте documented telemetry, не homoglyph steganography. Каждый CLI agent = high-privilege software; переместите его в boundary, которую контролируете.

Источники

gavel

Disclaimer: материал на основе публичных источников NVDB, Anthropic, independent security research и media — не legal opinion и не security audit conclusion. RE findings — reproducible hypotheses до independent validation на вашем build.

FAQ

Есть ли в Claude Code настоящий бэкдор?

В v2.1.91–2.1.196 — недекларированная steganography detection logic. NVDB: серьёзный риск бэкдора; Shihipar: March experiment, removed v2.1.197. Точный RE-термин: covert channel, не classic keylogger backdoor.

Какие версии затронуты?

v2.1.91 (02.04) — v2.1.196 (29.06). Upgrade до 2.1.197+. Matrix: #s10.

Затронут ли официальный api.anthropic.com?

Нет. Только при ANTHROPIC_BASE_URL на non-official proxy/gateway. См. #s4.

Как проверить версию?

claude --version или npm list -g @anthropic-ai/claude-code. При 2.1.91–2.1.196: #s12.

Удалять Claude Code?

Приоритет upgrade. Compliance enterprises: uninstall + egress audit. Direct API + upgraded build — significantly lower risk.

Какая стеганография?

Mutation Today's date is...: date separator -/; apostrophe U+0027/U+2019/U+02BC/U+02B9. Mapping: #s11; deep dive: steganography article.

Почему Alibaba запретил Claude Code?

High-risk classification; internal ban 10 июля 2026; pivot Qoder — chain reaction после NVDB 8 июля.

Было в release notes?

Нет. Changelog silent на 2.1.91–2.1.196; removal в 2.1.197 не announced — core trust failure.

Безопасен ли Claude Code сейчас?

Code removed в 2.1.197+. Continued use — org risk tolerance. Isolated macOS agent: MACCOME Mac Mini.

Связь с distillation?

Anthropic targets unauthorized reselling + distillation; Qwen accusation ~25K accounts, 28,8M interactions. Context: Anthropic funding.