Для кого: dev, кто гоняет Claude Code или Claude Desktop через proxy, reseller gateway или custom ANTHROPIC_BASE_URL — и security leads, которым нужно отделить hype от reproducible claims. Что внутри: жёсткий split Incident A (апрель 2026, Native Messaging injection) vs Incident B (30 июня, prompt steganography при ANTHROPIC_BASE_URL != api.anthropic.com), полная Unicode apostrophe mapping table, cited versions, six-step protection runbook. Subtitle: от silent browser injection до covert channel в одной apostrophe — и что это значит для trust к AI vendor. Структура: шесть pain points, incident comparison matrix, technical breakdown, runbook, hard data, Mac cloud isolation bridge, FAQ x8.
В конце июня 2026 dev, reverse-engineering Claude Code, опубликовал на thereallo.dev findings: когда ANTHROPIC_BASE_URL != api.anthropic.com, CLI тихо переписывает безобидную строку Today's date is... в system prompt — меняя date separators и визуально идентичные Unicode apostrophes, чтобы encode: China timezone, match obfuscated domain/reseller lists, AI-lab keywords. Thread набрал 350+ points на Hacker News и Reddit за часы. Это Incident B. Это не Incident A из апреля 2026, когда privacy consultant Alexander Hanff в The Register reported: Claude Desktop на macOS молча пишет com.anthropic.claude_browser_extension.json в Native Messaging dirs Chrome, Edge, Brave, Arc, Vivaldi, Opera, Chromium — pre-auth трёх extension IDs на chrome-native-host вне browser sandbox. Independent consultant Noah Kenney и Antiy Labs reportedly подтвердили reproducibility technical claims Hanff.
Смешивать два события — bad security decisions. Одно — persistent local privilege bridge; другое — alleged covert classification channel в outbound prompts. Общий pattern: behavior без явного opt-in, disclosed только после third-party reverse engineering — не в product docs и changelogs.
ANTHROPIC_BASE_URL. Direct api.anthropic.com traffic не трогали — критично для teams на official subscription.One-line definition: не classic keylogging spyware, а пара alleged undisclosed covert channels — local Native Messaging pre-auth + prompt steganography для proxy users — treat as supply-chain и data-governance incidents до independent verification на ваших builds.
Если уже сравнивали Claude vs Cursor/Copilot в нашей decision matrix AI coding assistants 2026 — добавьте trust/telemetry row. Feature parity tables не ловят, переписывает ли CLI system prompts при gateway URL.
Таблица для architecture reviews, когда спрашивают «Claude Code spyware?» без binary, OS и API route.
| Dimension | Incident A: Claude Desktop | Incident B: Claude Code | Classic spyware | Disclosed vendor telemetry |
|---|---|---|---|---|
| Product | Claude Desktop (macOS GUI) | Claude Code (CLI agent) | Any | Any |
| Alleged behavior | Пишет com.anthropic.claude_browser_extension.json; pre-auth 3 extension IDs; chrome-native-host вне sandbox; recreates after delete |
Rewrites Today's date is... с Unicode apostrophe swaps и date separator changes при custom ANTHROPIC_BASE_URL |
Covert exfil files, keystrokes, credentials | Documented metrics, crash reports, opt-out |
| Trigger | Install/launch Claude Desktop (per Hanff) | Non-default ANTHROPIC_BASE_URL only |
Ongoing | ToS / privacy policy |
| Timeline | Апрель 2026 (~18.04+) | Disclosure 30.06.2026; removed 2.1.197 (01.07) | N/A | N/A |
| Best label | Unauthorized third-party software modification; dormant high-privilege channel | Undisclosed covert user classification в prompts | Malware | Accepted tradeoff with consent |
Ни одна строка не повод panic-delete каждой Anthropic subscription. Это повод document: какая Anthropic surface у каждой team, какой API path у каждого env, что compliance требует когда classification signals уходят с client без explicit notice.
Broader Anthropic 2026 narrative — Series H funding и IPO positioning, enterprise life-sciences, export-control restrictions на frontier models — делает trust incidents material, не менее. Public-market и regulated buyers спросят, совпадает ли «security-first» marketing с client behavior.
По thereallo.dev reverse engineering report: logic inspects configured base URL против obfuscated lists. При match encodes classification bits в date line system prompt — human-readable на glance, machine-readable на Unicode code-point level.
Step 1 — date separator: system timezone Asia/Shanghai или Asia/Urumqi — date format с hyphens на slashes (2026-06-30 -> 2026/06/30).
Step 2 — apostrophe swap: apostrophe в Today's меняется на visually similar char по match tier:
| Condition | Date format | Apostrophe | Unicode |
|---|---|---|---|
| Default (no domain/lab match) | 2026-06-30 |
' ASCII apostrophe |
U+0027 |
| China-linked org/reseller domain match | 2026-06-30 |
' right single quotation mark |
U+2019 |
| AI lab keyword match (deepseek, moonshot, zhipu, minimax, baichuan, stepfun, 01ai, etc.) | 2026-06-30 |
ʼ modifier letter apostrophe |
U+02BC |
| Both domain and lab keyword | 2026-06-30 |
ʹ modifier letter prime |
U+02B9 |
+ China timezone (Asia/Shanghai / Asia/Urumqi) |
2026/06/30 (slash separator) |
(as above per match tier) | — |
Domain и keyword lists allegedly stored как base64 strings XORed with key 91, total порядка 147 domain rules. Dev, skimming logs, видит ordinary English. Backend classifier: один apostrophe code point + date separator allegedly reveals proxy usage, timezone context, reseller/lab affiliation.
Motivation (community consensus, intent не proven): Anthropic, OpenAI, Google публично warned про model distillation — competitors harvest API outputs для smaller models. Unauthorized resellers и China-linked gateways — plausible targets. Intent может быть defensible; method — нет. Hiding classification в punctuation, obfuscating lists в binary, omitting changelog notes при removal — erodes trust dev tools require.
Если proxy Claude Code — capture system prompt fragment, inspect code points, не rendered glyph:
# Paste "Today's" token from captured system prompt
token = "Today's" # replace with your captured string
for ch in token:
print(repr(ch), hex(ord(ch)))
U+0027 — baseline. U+2019, U+02BC, U+02B9 на custom base URL corroborate reverse engineering claims на builds до 2.1.197. Spot checks + version pinning + hash verification в regulated env.
Legal wording: статья описывает behavior alleged в third-party reverse engineering и journalism. Anthropic не опубликовал full technical post-mortem Incident B на момент публикации. Treat claims как reproducible hypotheses до validation security team на exact binary и configuration.
Steps in order. Skip inventory — discover reseller gateway и Native Messaging manifest только после compliance questionnaire.
ANTHROPIC_BASE_URL или vendor proxy URLs.claude --version. Upgrade 2.1.197+ если rely на Anthropic July 1 build. Production: api.anthropic.com или third-party gateway; Incident B allegedly только non-default URLs.~/Library/Application Support/<Browser>/NativeMessagingHosts/com.anthropic.claude_browser_extension.json для Chrome, Edge, Brave, Arc, Vivaldi, Opera, Chromium. Document contents, extension IDs, chrome-native-host path. Delete if policy forbids; expect Claude Desktop recreate on restart per reports.Steps 3 и 5 — где MACCOME customers compress calendar risk: rented Mac Mini M4 cloud node hosts Claude Code agents в isolated macOS image без touch personal Chrome profiles на travel laptop.
Figures с primary links в risk memos. Executives понимают HN points как developer attention; security councils — pre-positioned Native Messaging hosts как latent privilege escalation surfaces независимо от current exploit status.
Desktop AI agents = shell access + browser bridges + long-lived credentials. Same MacBook с personal email, password-manager extensions, production API keys — max blast radius когда vendor behavior — alleged или confirmed — crosses trust line.
Rented Mac Mini M4 cloud node — Claude Code с launchd persistence, MCP sidecars, SSH для remote editors — без Claude Desktop на daily Chrome profile. Control timezone, base URL policy, какие browser profiles exist на host.
Linux VPS cheaper для pure CLI, но breaks когда agent scripts invoke xcodebuild, Apple notarization, macOS-only chains в repo. Comparison: не Anthropic vs Apple — co-mingled laptop vs isolated macOS agent host.
June 2026 Claude Code steganography — case study defensible goals через indefensible concealment. Anti-distillation и anti-reselling — industry-wide; embedding classification в Unicode punctuation, obfuscating rule lists, omitting changelog disclosure при removal — vendors lose developer trust быстрее benchmark win.
Limits obvious alternatives: (a) ignore Incident A — Native Messaging pre-auth на macOS workstations с full user privilege; (b) ban Claude Code — breaks teams на hooks/MCP; (c) same agent stack на laptop с personal browsers + production secrets — magnifies impact при next undisclosed client behavior.
После inventory binaries, pinned versions, permitted base URLs — bottleneck обычно host isolation, не thread про U+02B9 vs spyware. Для SSH за minutes, predictable monthly cost, macOS env где Claude Code agents run least privilege away from daily browser profiles — MACCOME dedicated Mac Mini M4 cloud host usually better fit: real Apple Silicon, launchd-friendly uptime, segmentation для long-running agent processes. Regions и memory: тарифы аренды Mac mini; ops questions: центр помощи.
Default: distrust до reproducible, documented, switchable behavior. Demand disclosure over steganography. Treat every desktop agent as high-privilege software — vendors learn на ваших machines пока agents не на boundaries you control.
The Register (Alexander Hanff, Claude Desktop Native Messaging, апрель 2026); Malwarebytes, gHacks, YOOTA (Incident A follow-on); thereallo.dev (original Claude Code reverse engineering, 30 июня 2026); Tech Startups, TMC Insight, Developers Digest, TechTimes (2.1.197 removal coverage); Antiy Labs risk analysis (Claude Desktop browser channel).
FAQ
Claude Code — это spyware?
Не в classic data-stealing sense, но per reverse engineering reports Claude Code embedded undisclosed obfuscated fingerprint в system prompts для flag China-linked proxy users когда ANTHROPIC_BASE_URL != api.anthropic.com. Anthropic removed в 2.1.197. Best label: undisclosed covert channel, не traditional spyware.
Claude Code трекает timezone?
Per thereallo.dev report: checked Asia/Shanghai и Asia/Urumqi, switched date separator hyphens -> slashes — только при non-default ANTHROPIC_BASE_URL. Official api.anthropic.com не altered.
Unicode-трюк с apostrophe?
Apostrophe в Today's allegedly swapped между U+0027 (default), U+2019 (China-linked domain), U+02BC (AI lab keyword), U+02B9 (both) для encode classification signals в system prompt date line.
Зачем Anthropic добавил это?
Community analysis и HN discussion: likely goal anti-distillation и detection unauthorized API reselling — legitimate objective в allegedly hidden obfuscated form.
Та же история, что Claude Desktop spyware?
Нет. Incident A (апрель 2026): Claude Desktop macOS silently writing com.anthropic.claude_browser_extension.json Native Messaging manifests, disclosed Alexander Hanff в The Register. Incident B (30 июня 2026): Claude Code prompt steganography при custom base URL.
Regular Claude web app users affected?
Incident B triggered только в Claude Code когда ANTHROPIC_BASE_URL != api.anthropic.com. Official web app или CLI default endpoint — не subject к Unicode apostrophe encoding из reverse engineering reports.
Как удалить Claude Desktop Native Messaging manifests?
macOS: ~/Library/Application Support/<browser>/NativeMessagingHosts/ — com.anthropic.claude_browser_extension.json в Chrome, Edge, Brave, Arc, Vivaldi, Opera, Chromium. Delete as needed; per reports Claude Desktop may recreate on restart.
Какие версии Claude Code содержали fingerprint code?
Per thereallo.dev reverse engineering: 2.1.193, 2.1.195, 2.1.196 contained logic. Removed 2.1.197 released 1 июля 2026; public changelog не mention removal.