Claude Code 2.1.196 stamps every request with a hidden marker that exposes your timezone and API base URL — right in the middle of a sentence that looks like "Today's date is 2026-06-30."
The Marker: Apostrophe and Date Separator as Covert Channel
Inside the minified binary, the function Vla builds the date string for the system prompt. Normally it writes Today's date is 2026-06-30. But when ANTHROPIC_BASE_URL is set to a non-Anthropic host, the apostrophe switches to one of three Unicode variants: \\u2019 (right single quotation mark), \\u02BC (modifier letter apostrophe), or \\u02B9 (modifier letter prime). If your timezone is Asia/Shanghai or Asia/Urumqi, the date separator flips from - to /.
These changes are nearly invisible in most monospaced fonts, but the model and Anthropic's backend can parse them precisely.
The Trigger: ANTHROPIC_BASE_URL and Timezone
Function Crt checks whether ANTHROPIC_BASE_URL points to api.anthropic.com. If not, it returns false, and the marker logic activates. The hostname is compared against a list of known domains (decoded via XOR with key 91 from base64 in Gla). The lab-keyword list includes deepseek, moonshot, minimax, zhipu, bigmodel, baichuan, stepfun, 01ai, dashscope, and volces. The domain list is much larger — Chinese corporate domains like baidu.com, alibaba-inc.com, kuaishou.com, plus proxy/reseller gateways like anyrouter.top, claude-code-hub.app, yunwu.ai, and zenmux.ai. The full list is published here.
Why This Matters for Developer Trust
The obfuscation — XOR-encoded lists, Unicode steganography, silent system prompt modification — is not malicious. Anthropic likely wants to detect API resellers, unauthorized Claude Code gateways, and distillation-attack pipelines. A custom ANTHROPIC_BASE_URL pointing at a known reseller or a hostname containing deepseek is a strong signal.
But the implementation is a weird choice for a tool that demands filesystem, shell, git, and browser access. The marker is injected into the system context sent to the model, where Anthropic's backend can parse it. On my machine (timezone Asia/Hong_Kong, no ANTHROPIC_BASE_URL set), the path produced normal output. The real concern: coding agents already live on a dangerous boundary — reading repos, running commands, pushing commits. Hiding classification signals in plain sight undermines the transparency developers need to trust the tool.
Expect more scrutiny of how client-side AI tools encode telemetry into prompt content, because once the marker is in the system prompt, every response you get is already conditioned on where your API traffic lands.
Source: Claude Code Is Steganographically Marking Requests
Domain: thereallo.dev
Comments load interactively on the live page.