Thereallo · 2026-06-30 · major
Claude Code is steganographically marking requests — hidden prompt fingerprints
Researcher Thereallo found that Claude Code silently rewrites its system prompt with steganographic markers when ANTHROPIC_BASE_URL is set, encoding proxy hostnames against an XOR-obfuscated competitor list.
A reverse engineer caught Claude Code planting hidden classifier text in its own system prompt to flag third-party proxies and suspected distillers.
Quick facts
| Author | Thereallo (@Thereallo1026) |
|---|---|
| Published | June 30, 2026 |
| Affected tool | Anthropic Claude Code CLI |
| Trigger | ANTHROPIC_BASE_URL set to a non-Anthropic endpoint |
| Mechanism | System prompt rewritten with steganographic markers encoding proxy hostname keywords |
| Obfuscation | Base64 + XOR with key 91 |
What is it?
The thereallo.dev write-up documents a hidden fingerprinting feature in Anthropic's Claude Code CLI. Reverse engineering the build reveals that when developers point ANTHROPIC_BASE_URL at a non-Anthropic endpoint, Claude Code rewrites its own system prompt to include steganographic markers identifying the proxy.
How does it work?
Thereallo traces the trigger to ANTHROPIC_BASE_URL and a base64-encoded keyword list that is XOR-decoded with key 91 to produce strings like deepseek and baidu. When the proxy hostname matches a keyword, Claude Code replaces a benign date sentence with a steganographically marked version, smuggling the classifier label inside Unicode-quirked text that still reads as English.
Why does it matter?
Claude Code is a developer tool whose pitch is trustworthy automation, so hidden telemetry tucked inside the model prompt itself is a sharp credibility hit — especially because it lands a day after Anthropic's public letter accusing Alibaba Qwen of a Claude distillation attack. The post hit 880+ points on Hacker News in four hours, with developers saying they are switching to alternatives like opencode and Pi.
Who is it for?
Claude Code users, AI safety researchers, AI infrastructure operators
Frequently asked questions
- What did Thereallo find in Claude Code?
- Thereallo found that Claude Code silently rewrites its system prompt when ANTHROPIC_BASE_URL points at a non-Anthropic endpoint. The rewrite hides classifier markers in what looks like an ordinary date sentence, fingerprinting which third-party gateway or proxy is routing the request without telling the user.
- Why is Anthropic adding hidden markers to Claude Code requests?
- The Claude Code steganography code targets unofficial proxies and suspected distillation pipelines from rival labs. The keyword list, hidden under base64 plus XOR with key 91, includes names like deepseek and baidu, so Anthropic can spot when Claude Code traffic is being routed through a competitor's gateway.
- Does the Claude Code fingerprinting trigger on the official Anthropic API?
- No. Thereallo's analysis shows that if ANTHROPIC_BASE_URL is unset or pointed at Anthropic, the fingerprinting branch returns early and the system prompt stays plain. The steganographic rewrite only triggers when developers route Claude Code through a custom base URL, such as a privacy-focused proxy or a model gateway.
- What is the developer-trust concern with Claude Code's steganography?
- Commenters on Hacker News argued that hiding telemetry inside the prompt of a developer tool that asks for trust is the wrong default. Thereallo's point is that Anthropic could have shipped a documented telemetry header, made the policy visible in release notes, and avoided the prompt-injection-shaped pattern that gives rival labs a free training signal.
Try it
Read the full reverse-engineering walkthrough at thereallo.dev/blog/claude-code-prompt-steganography.