Claude Code и стеганография 2026: скрытый Unicode-отпечаток Anthropic — полный разбор

Около 16 мин чтения · MACCOME

Для кого: dev, кто гоняет Claude Code или Claude Desktop через proxy, reseller gateway или custom ANTHROPIC_BASE_URL — и security leads, которым нужно отделить hype от reproducible claims. Что внутри: жёсткий split Incident A (апрель 2026, Native Messaging injection) vs Incident B (30 июня, prompt steganography при ANTHROPIC_BASE_URL != api.anthropic.com), полная Unicode apostrophe mapping table, cited versions, six-step protection runbook. Subtitle: от silent browser injection до covert channel в одной apostrophe — и что это значит для trust к AI vendor. Структура: шесть pain points, incident comparison matrix, technical breakdown, runbook, hard data, Mac cloud isolation bridge, FAQ x8.

Шесть pain points: почему Claude trust incidents апреля и июня 2026 бьют по разным нервам

В конце июня 2026 dev, reverse-engineering Claude Code, опубликовал на thereallo.dev findings: когда ANTHROPIC_BASE_URL != api.anthropic.com, CLI тихо переписывает безобидную строку Today's date is... в system prompt — меняя date separators и визуально идентичные Unicode apostrophes, чтобы encode: China timezone, match obfuscated domain/reseller lists, AI-lab keywords. Thread набрал 350+ points на Hacker News и Reddit за часы. Это Incident B. Это не Incident A из апреля 2026, когда privacy consultant Alexander Hanff в The Register reported: Claude Desktop на macOS молча пишет com.anthropic.claude_browser_extension.json в Native Messaging dirs Chrome, Edge, Brave, Arc, Vivaldi, Opera, Chromium — pre-auth трёх extension IDs на chrome-native-host вне browser sandbox. Independent consultant Noah Kenney и Antiy Labs reportedly подтвердили reproducibility technical claims Hanff.

Смешивать два события — bad security decisions. Одно — persistent local privilege bridge; другое — alleged covert classification channel в outbound prompts. Общий pattern: behavior без явного opt-in, disclosed только после third-party reverse engineering — не в product docs и changelogs.

  1. Два продукта, brand confusion: Claude Desktop (GUI) и Claude Code (CLI) — один логотип Anthropic, разные trigger conditions. Audit «Claude» без scoping binary = false negatives в обе стороны.
  2. Incident A: sandbox bypass pre-positioned: по Hanff и follow-on Malwarebytes, Claude Desktop allegedly создаёт Native Messaging host dirs даже для не установленных браузеров, wiring трёх extension IDs к host с full user privilege, recreates manifest после manual delete на restart. Ближе к unauthorized tampering с third-party software, чем к benign integration toggle.
  3. Incident B: proxy-only steganography: Unicode fingerprint logic, per reverse engineering, активируется только при custom ANTHROPIC_BASE_URL. Direct api.anthropic.com traffic не трогали — критично для teams на official subscription.
  4. Obfuscation вместо disclosure: alleged domain/keyword lists — base64 + XOR(91), порядка 147 rules, keywords: deepseek, moonshot, zhipu, minimax, baichuan, stepfun, 01ai. Intent может быть anti-distillation; method reads as concealment.
  5. Silent remediation: fingerprint в Claude Code 2.1.193, 2.1.195, 2.1.196. Anthropic removed в 2.1.197 1 июля 2026, public changelog removal не упоминал — undermining «trust but verify» upgrade policy.
  6. HN community split: один camp — reasonable anti-distillation vs unauthorized API reselling; другой — malware-adjacent для dev tool на informed consent. Оба согласны: delivery mechanism — hidden punctuation, obfuscated lists — failed transparency test.

One-line definition: не classic keylogging spyware, а пара alleged undisclosed covert channels — local Native Messaging pre-auth + prompt steganography для proxy users — treat as supply-chain и data-governance incidents до independent verification на ваших builds.

Если уже сравнивали Claude vs Cursor/Copilot в нашей decision matrix AI coding assistants 2026 — добавьте trust/telemetry row. Feature parity tables не ловят, переписывает ли CLI system prompts при gateway URL.

Incident A vs Incident B vs disclosed telemetry: comparison matrix

Таблица для architecture reviews, когда спрашивают «Claude Code spyware?» без binary, OS и API route.

Dimension Incident A: Claude Desktop Incident B: Claude Code Classic spyware Disclosed vendor telemetry
Product Claude Desktop (macOS GUI) Claude Code (CLI agent) Any Any
Alleged behavior Пишет com.anthropic.claude_browser_extension.json; pre-auth 3 extension IDs; chrome-native-host вне sandbox; recreates after delete Rewrites Today's date is... с Unicode apostrophe swaps и date separator changes при custom ANTHROPIC_BASE_URL Covert exfil files, keystrokes, credentials Documented metrics, crash reports, opt-out
Trigger Install/launch Claude Desktop (per Hanff) Non-default ANTHROPIC_BASE_URL only Ongoing ToS / privacy policy
Timeline Апрель 2026 (~18.04+) Disclosure 30.06.2026; removed 2.1.197 (01.07) N/A N/A
Best label Unauthorized third-party software modification; dormant high-privilege channel Undisclosed covert user classification в prompts Malware Accepted tradeoff with consent

Ни одна строка не повод panic-delete каждой Anthropic subscription. Это повод document: какая Anthropic surface у каждой team, какой API path у каждого env, что compliance требует когда classification signals уходят с client без explicit notice.

Broader Anthropic 2026 narrative — Series H funding и IPO positioning, enterprise life-sciences, export-control restrictions на frontier models — делает trust incidents material, не менее. Public-market и regulated buyers спросят, совпадает ли «security-first» marketing с client behavior.

Как работает alleged Unicode fingerprint (Incident B)

По thereallo.dev reverse engineering report: logic inspects configured base URL против obfuscated lists. При match encodes classification bits в date line system prompt — human-readable на glance, machine-readable на Unicode code-point level.

Step 1 — date separator: system timezone Asia/Shanghai или Asia/Urumqi — date format с hyphens на slashes (2026-06-30 -> 2026/06/30).

Step 2 — apostrophe swap: apostrophe в Today's меняется на visually similar char по match tier:

Condition Date format Apostrophe Unicode
Default (no domain/lab match) 2026-06-30 ' ASCII apostrophe U+0027
China-linked org/reseller domain match 2026-06-30 ' right single quotation mark U+2019
AI lab keyword match (deepseek, moonshot, zhipu, minimax, baichuan, stepfun, 01ai, etc.) 2026-06-30 ʼ modifier letter apostrophe U+02BC
Both domain and lab keyword 2026-06-30 ʹ modifier letter prime U+02B9
+ China timezone (Asia/Shanghai / Asia/Urumqi) 2026/06/30 (slash separator) (as above per match tier)

Domain и keyword lists allegedly stored как base64 strings XORed with key 91, total порядка 147 domain rules. Dev, skimming logs, видит ordinary English. Backend classifier: один apostrophe code point + date separator allegedly reveals proxy usage, timezone context, reseller/lab affiliation.

Motivation (community consensus, intent не proven): Anthropic, OpenAI, Google публично warned про model distillation — competitors harvest API outputs для smaller models. Unauthorized resellers и China-linked gateways — plausible targets. Intent может быть defensible; method — нет. Hiding classification в punctuation, obfuscating lists в binary, omitting changelog notes при removal — erodes trust dev tools require.

Quick check: inspect apostrophe в captured prompt

Если proxy Claude Code — capture system prompt fragment, inspect code points, не rendered glyph:

python
# Paste "Today's" token from captured system prompt
token = "Today's"  # replace with your captured string
for ch in token:
    print(repr(ch), hex(ord(ch)))

U+0027 — baseline. U+2019, U+02BC, U+02B9 на custom base URL corroborate reverse engineering claims на builds до 2.1.197. Spot checks + version pinning + hash verification в regulated env.

warning

Legal wording: статья описывает behavior alleged в third-party reverse engineering и journalism. Anthropic не опубликовал full technical post-mortem Incident B на момент публикации. Treat claims как reproducible hypotheses до validation security team на exact binary и configuration.

Six-step protection runbook: audit Claude Desktop и Claude Code в production

Steps in order. Skip inventory — discover reseller gateway и Native Messaging manifest только после compliance questionnaire.

  1. Inventory Anthropic surfaces: каждая machine с Claude Desktop, Claude Code, Claude for Chrome, IDE extensions. macOS versions, install channels (direct vs MDM), engineers set ANTHROPIC_BASE_URL или vendor proxy URLs.
  2. Verify Claude Code version и base URL: claude --version. Upgrade 2.1.197+ если rely на Anthropic July 1 build. Production: api.anthropic.com или third-party gateway; Incident B allegedly только non-default URLs.
  3. Audit Native Messaging manifests (Incident A): на каждом macOS host — ~/Library/Application Support/<Browser>/NativeMessagingHosts/com.anthropic.claude_browser_extension.json для Chrome, Edge, Brave, Arc, Vivaldi, Opera, Chromium. Document contents, extension IDs, chrome-native-host path. Delete if policy forbids; expect Claude Desktop recreate on restart per reports.
  4. Capture и diff system prompts на proxy paths: environments с resellers — record outbound system prompt fragments под controlled test accounts. Compare apostrophe code points и date separators с mapping table; archive samples с version numbers для audit trail.
  5. Least privilege и network segmentation: не гонять Claude Desktop или long-lived Claude Code daemons на primary dev laptops с full browser profiles и production secrets. Dedicated agent hosts: restricted filesystem, separate browser profiles, explicit egress allow-lists.
  6. Update vendor risk register и user comms: supplier trust incident citing The Register, Malwarebytes, thereallo.dev, Antiy Labs. Engineers: custom base URLs approved, banned, или security review — internal policy link до next sprint с новым Claude Code hook.

Steps 3 и 5 — где MACCOME customers compress calendar risk: rented Mac Mini M4 cloud node hosts Claude Code agents в isolated macOS image без touch personal Chrome profiles на travel laptop.

Три cite-worthy data points для security briefings

  • Community signal scale: June 30, 2026 Claude Code steganography disclosure — 350+ Hacker News points, 100+ comments за hours — developer-audience reach comparable major supply-chain stories, не niche forum rumor.
  • Obfuscated rule set size: thereallo.dev reverse engineering — порядка 147 base64+XOR(91) domain rules + AI-lab keywords (deepseek, moonshot, zhipu, minimax, baichuan, stepfun, 01ai), versions 2.1.193 / 2.1.195 / 2.1.196, silently removed 2.1.197 (1 июля 2026).
  • Independent corroboration Incident A: Alexander Hanff April 2026 Register report Claude Desktop Native Messaging reproduced consultant Noah Kenney, dedicated risk report Antiy Labs — separate от June CLI steganography thread, same trust narrative.

Figures с primary links в risk memos. Executives понимают HN points как developer attention; security councils — pre-positioned Native Messaging hosts как latent privilege escalation surfaces независимо от current exploit status.

Isolated Mac cloud hosting: least privilege для Claude Code agents

Desktop AI agents = shell access + browser bridges + long-lived credentials. Same MacBook с personal email, password-manager extensions, production API keys — max blast radius когда vendor behavior — alleged или confirmed — crosses trust line.

Rented Mac Mini M4 cloud node — Claude Code с launchd persistence, MCP sidecars, SSH для remote editors — без Claude Desktop на daily Chrome profile. Control timezone, base URL policy, какие browser profiles exist на host.

Linux VPS cheaper для pure CLI, но breaks когда agent scripts invoke xcodebuild, Apple notarization, macOS-only chains в repo. Comparison: не Anthropic vs Apple — co-mingled laptop vs isolated macOS agent host.

Closing: intent vs method — isolation beats outrage

June 2026 Claude Code steganography — case study defensible goals через indefensible concealment. Anti-distillation и anti-reselling — industry-wide; embedding classification в Unicode punctuation, obfuscating rule lists, omitting changelog disclosure при removal — vendors lose developer trust быстрее benchmark win.

Limits obvious alternatives: (a) ignore Incident A — Native Messaging pre-auth на macOS workstations с full user privilege; (b) ban Claude Code — breaks teams на hooks/MCP; (c) same agent stack на laptop с personal browsers + production secrets — magnifies impact при next undisclosed client behavior.

После inventory binaries, pinned versions, permitted base URLs — bottleneck обычно host isolation, не thread про U+02B9 vs spyware. Для SSH за minutes, predictable monthly cost, macOS env где Claude Code agents run least privilege away from daily browser profilesMACCOME dedicated Mac Mini M4 cloud host usually better fit: real Apple Silicon, launchd-friendly uptime, segmentation для long-running agent processes. Regions и memory: тарифы аренды Mac mini; ops questions: центр помощи.

Default: distrust до reproducible, documented, switchable behavior. Demand disclosure over steganography. Treat every desktop agent as high-privilege software — vendors learn на ваших machines пока agents не на boundaries you control.

Sources и further reading

The Register (Alexander Hanff, Claude Desktop Native Messaging, апрель 2026); Malwarebytes, gHacks, YOOTA (Incident A follow-on); thereallo.dev (original Claude Code reverse engineering, 30 июня 2026); Tech Startups, TMC Insight, Developers Digest, TechTimes (2.1.197 removal coverage); Antiy Labs risk analysis (Claude Desktop browser channel).

FAQ

Claude Code — это spyware?

Не в classic data-stealing sense, но per reverse engineering reports Claude Code embedded undisclosed obfuscated fingerprint в system prompts для flag China-linked proxy users когда ANTHROPIC_BASE_URL != api.anthropic.com. Anthropic removed в 2.1.197. Best label: undisclosed covert channel, не traditional spyware.

Claude Code трекает timezone?

Per thereallo.dev report: checked Asia/Shanghai и Asia/Urumqi, switched date separator hyphens -> slashes — только при non-default ANTHROPIC_BASE_URL. Official api.anthropic.com не altered.

Unicode-трюк с apostrophe?

Apostrophe в Today's allegedly swapped между U+0027 (default), U+2019 (China-linked domain), U+02BC (AI lab keyword), U+02B9 (both) для encode classification signals в system prompt date line.

Зачем Anthropic добавил это?

Community analysis и HN discussion: likely goal anti-distillation и detection unauthorized API reselling — legitimate objective в allegedly hidden obfuscated form.

Та же история, что Claude Desktop spyware?

Нет. Incident A (апрель 2026): Claude Desktop macOS silently writing com.anthropic.claude_browser_extension.json Native Messaging manifests, disclosed Alexander Hanff в The Register. Incident B (30 июня 2026): Claude Code prompt steganography при custom base URL.

Regular Claude web app users affected?

Incident B triggered только в Claude Code когда ANTHROPIC_BASE_URL != api.anthropic.com. Official web app или CLI default endpoint — не subject к Unicode apostrophe encoding из reverse engineering reports.

Как удалить Claude Desktop Native Messaging manifests?

macOS: ~/Library/Application Support/<browser>/NativeMessagingHosts/com.anthropic.claude_browser_extension.json в Chrome, Edge, Brave, Arc, Vivaldi, Opera, Chromium. Delete as needed; per reports Claude Desktop may recreate on restart.

Какие версии Claude Code содержали fingerprint code?

Per thereallo.dev reverse engineering: 2.1.193, 2.1.195, 2.1.196 contained logic. Removed 2.1.197 released 1 июля 2026; public changelog не mention removal.