Аудитория: разработчики, reverse engineers и security-команды, использующие Claude Code через корпоративные gateway или API-реселлеров. 8 июля 2026 платформа NVDB Минпромторга КНР квалифицировала Claude Code v2.1.91–2.1.196 как несущий серьёзный риск бэкдора. В статье: полный таймлайн, пункты bulletin NVDB, условие триггера ANTHROPIC_BASE_URL, трёхфазный pipeline (recon → rule match → prompt injection), 147 правил XOR(91)+Base64, Unicode code-point mapping, позиции сторон, таблица медиа-формулировок, команды проверки/апгрейда/удаления, checklist 6+4 и hard data для security brief.
TL;DR — 30 секунд
ANTHROPIC_BASE_URL != api.anthropic.com.claude --version + echo $ANTHROPIC_BASE_URL → upgrade/uninstall при попадании в диапазон.8 июля 2026 NVDB опубликовал risk advisory с формулировкой серьёзный риск бэкдора — первый официальный регуляторный verdict. Цепочка на нижнем уровне: covert detection в марте → ship в v2.1.91 (апрель) → ~20 silent releases → reverse engineering 30 июня → rollback v2.1.197 → Alibaba ban → NVDB 8 июля. Детальный Unicode mapping и Incident A/B — в статье о стеганографии Claude Code; здесь — regulatory spine + remediation runbook.
ANTHROPIC_BASE_URL. Путаница ломает credibility security team и вводит в заблуждение devs на прямом API.strings на npm bundle не извлекает — нужен full binary RE.One-liner: не подтверждённый mass data breach, а undisclosed classification mechanism + regulatory label + Fortune-scale ban. Приоритет: version + base URL audit, не panic ban и не игнор.
В матрице AI-ассистентов 2026 добавьте строку «covert client behavior / regulatory incident» — SWE-bench не ловит system prompt tampering на proxy path.
ANTHROPIC_BASE_URL как gateСамый критичный nuance: механизм не universal.
Activation predicate (RE consensus): env ANTHROPIC_BASE_URL → non-official endpoint — enterprise API gateway, third-party proxy, API reseller, self-hosted reverse proxy. Default api.anthropic.com subscribers не входили в code path.
Priority actors:
Lower risk: direct official API, upgraded build, no non-default base URL — но проверьте: global npm install drift частая.
Три фазы pipeline. Полный Unicode table и A/B split — deep dive по стеганографии.
Asia/Shanghai | Asia/UrumqiANTHROPIC_BASE_URL hostname vs embedded list147 entries (LegitMichel777, Thereallo, Adnane Khan, Vincent Schmalbach): China tech domains, AI lab keywords (DeepSeek, Moonshot, Zhipu, MiniMax, Baichuan, StepFun, 01.AI), known reseller gateways. Storage: Base64 decode → XOR(91) — defeats naive strings grep.
Core controversy: no dedicated telemetry SDK — in-place mutation of routine system prompt line Today's date is...:
2026-06-30 (hyphen) becomes 2026/06/30 (slash)Today's apostrophe swapped among visually identical code points encoding domain hit / lab keyword hit / combined hit~3 bits environment metadata в одной английской строке — shipped with every API request to Anthropic inference backend for server-side decode (inferred).
Public sources не раскрывают server consumer logic. Community inference: unauthorized reseller ID, distillation pipeline flagging, account risk scoring. Documented downstream: account ban risk, не confirmed user file exfiltration — не раздувайте до «data leak scandal».
Cybernews — «a nothing burger» (anti-distillation engineering). Представляем обе стороны.
Серьёзный риск бэкдора; monitoring без consent; audit endpoints; uninstall/upgrade; egress hardening.
"This is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation. The team has landed stronger mitigations since then and we've actually been meaning to take this down for a while... this should be fully rolled back in tomorrow's release."
Framing: experiment, anti-reseller, anti-distillation. Senate letter context: Qwen ~25 000 fraud accounts, 28,8M interactions — Anthropic Series H / IPO context.
SCMP, Ars Technica: "As Claude Code was recently discovered to carry back-door risks... added to a list of high-risk software with security vulnerabilities." Scope: Claude Code + Anthropic models (Sonnet, Opus, Fable); replacement Qoder.
| Источник | Ключевой термин | Акцент |
|---|---|---|
| NVDB / MIIT | backdoor / серьёзная угроза | Compliance, exfil risk, official directives |
| CNBC / Reuters | security backdoor / built-in monitoring | Neutral wire + corporate fallout |
| The Register | covert code / secret steganography | Technical accountability |
| Ars Technica | spyware-like tracking | Trust crisis |
| Cybernews | «a nothing burger» | Anti-distillation; overstated outrage |
| Anthropic | experiment / anti-abuse | Defensive measure |
Community consensus: anti-distillation intent defensible; delivery — homoglyph steganography, obfuscated denylist, silent changelog — fails transparency test faster than any benchmark.
Fact-check — пять пунктов перед decision
ANTHROPIC_BASE_URL.claude --version output.| Тип | Version | Дата | Примечание |
|---|---|---|---|
| First ship with covert logic | v2.1.91 | 2026-04-02 | Detection enters distribution |
| RE-verified builds | v2.1.193 / 2.1.195 / 2.1.196 | 2026-06 | Khan, Thereallo confirmed |
| Last affected | v2.1.196 | 2026-06-29 | NVDB upper bound |
| Fixed | v2.1.197+ | 2026-07-01/02 | Code removed; changelog silent |
| Условие | Date format | Apostrophe | Code point |
|---|---|---|---|
| Default | 2026-06-30 |
' ASCII |
U+0027 |
| China-linked reseller domain | 2026-06-30 |
RIGHT SINGLE QUOTATION MARK | U+2019 |
| AI lab keyword (deepseek, moonshot, zhipu…) | 2026-06-30 |
ʼ MODIFIER LETTER APOSTROPHE |
U+02BC |
| Domain + lab dual match | 2026-06-30 |
ʹ MODIFIER LETTER PRIME |
U+02B9 |
| + China timezone | 2026/06/30 |
(per match tier above) | — |
# Inspect code points in captured "Today's" token from system prompt
# U+0027 = default | U+2019 = domain | U+02BC = lab | U+02B9 = both
token = "Today's" # replace with captured fragment
for ch in token:
print(repr(ch), hex(ord(ch)))
# 1. Check Claude Code version claude --version # 2. Check proxy trigger endpoint echo $ANTHROPIC_BASE_URL # 3. Upgrade via global npm npm install -g @anthropic-ai/claude-code@latest # 4. Built-in updater claude update
Residual paths для полного uninstall:
~/.claude, ~/.claude.json, ~/.cache/claude-code, ~/.config/claude-code%USERPROFILE%\.claude, %USERPROFILE%\.claude.json и cache dirsEnterprise: uninstall — не финал; egress audit dev endpoints на unauthorized AI API destinations.
claude --version — 2.1.91–2.1.196 = high risk.echo $ANTHROPIC_BASE_URL — non-empty && != api.anthropic.com = proxy path history.~/.claude*.ANTHROPIC_BASE_URL configs.Core tension: defensible goal via indefensible concealment — NVDB says backdoor, Anthropic says experiment, RE community says steganography. Wording tension = 2026 AI tooling supply-chain risk in miniature.
Alternative limits: (a) panic ban ломает standardized MCP hooks; (b) skip version/base URL audit = compliance gap; (c) high-privilege agent на laptop с personal browser + production API keys максимизирует blast radius при следующем undisclosed client behavior.
После version pin, base URL policy и egress audit bottleneck — host placement. Dev machine для экспериментов; production agent surface — dedicated macOS node: no sleep jitter, launchd uptime, segmented network.
Для SSH за минуты, predictable monthly cost и isolated macOS где Claude Code работает с least privilege вне personal Chrome и production secrets — MACCOME dedicated Mac Mini M4 cloud host: real Apple Silicon, agent-compatible network segmentation. Тарифы: аренда Mac Mini; ops: центр помощи.
Trust but verify — требуйте documented telemetry, не homoglyph steganography. Каждый CLI agent = high-privilege software; переместите его в boundary, которую контролируете.
Disclaimer: материал на основе публичных источников NVDB, Anthropic, independent security research и media — не legal opinion и не security audit conclusion. RE findings — reproducible hypotheses до independent validation на вашем build.
FAQ
Есть ли в Claude Code настоящий бэкдор?
В v2.1.91–2.1.196 — недекларированная steganography detection logic. NVDB: серьёзный риск бэкдора; Shihipar: March experiment, removed v2.1.197. Точный RE-термин: covert channel, не classic keylogger backdoor.
Какие версии затронуты?
v2.1.91 (02.04) — v2.1.196 (29.06). Upgrade до 2.1.197+. Matrix: #s10.
Затронут ли официальный api.anthropic.com?
Нет. Только при ANTHROPIC_BASE_URL на non-official proxy/gateway. См. #s4.
Как проверить версию?
claude --version или npm list -g @anthropic-ai/claude-code. При 2.1.91–2.1.196: #s12.
Удалять Claude Code?
Приоритет upgrade. Compliance enterprises: uninstall + egress audit. Direct API + upgraded build — significantly lower risk.
Какая стеганография?
Mutation Today's date is...: date separator -→/; apostrophe U+0027/U+2019/U+02BC/U+02B9. Mapping: #s11; deep dive: steganography article.
Почему Alibaba запретил Claude Code?
High-risk classification; internal ban 10 июля 2026; pivot Qoder — chain reaction после NVDB 8 июля.
Было в release notes?
Нет. Changelog silent на 2.1.91–2.1.196; removal в 2.1.197 не announced — core trust failure.
Безопасен ли Claude Code сейчас?
Code removed в 2.1.197+. Continued use — org risk tolerance. Isolated macOS agent: MACCOME Mac Mini.
Связь с distillation?
Anthropic targets unauthorized reselling + distillation; Qwen accusation ~25K accounts, 28,8M interactions. Context: Anthropic funding.