It has been pointed out that Claude Code recorded users' connection paths by 'changing the date format,' and that the system distinguished them by the difference in format, such as '2026-06-30' and '2026/06-30.'



A study has revealed that Anthropic's AI coding tool, 'Claude Code,' was embedding subtle character differences in the date text within system prompts it sent, marking requests according to the API connection destination and time zone. The independent developer who conducted the study, Thereallo, describes the mechanism as 'prompt

steganography .'

Claude Code Is Steganographically Marking Requests
https://thereallo.dev/blog/claude-code-prompt-steganography



Claude Code is an AI coding assistance tool accessible from terminals and IDEs that can read codebases, edit files, execute commands, and integrate with development tools. While convenient, it also deeply integrates into the developer's local environment, so a high level of transparency is especially required for its behavior that is not visible to the user.

Thereallo investigated a local installation of Claude Code 2.1.196. He found that Claude Code contained code that modified the date phrase 'Today's date is 2026-06-30.' inserted into the system prompt. While it appears to a normal user as just a date display, it was explained that the code actually allowed for marking requests by changing the date separator and the type of apostrophe in 'Today's'.

For example, if the system's time zone is 'Asia/Shanghai' or 'Asia/Urumqi,' the date format changes from '2026-06-30' to '2026/06/30.' Additionally, depending on conditions such as whether the hostname is included in a specific domain list or contains specific AI-related keywords like DeepSeek, Moonshot, or Zhipu, the apostrophe ('') is replaced with visually similar characters like ''(\u2019)', ʼ(\u02BC)', or ʹ(\u02B9)'.



If Claude Code is connecting to the standard Anthropic API, this process will finish early and the normal date format will be used. Potentially affected cases include using Claude Code through internal gateways, local proxies, model routers, resale services, and dedicated research routes.

Regarding Anthropic's intentions, Thereallo speculates that they may have wanted to detect unauthorized Claude Code gateways, API resales, and 'distillation' pipelines that use output to train other models. However, the domain list was obfuscated with Base64 and XOR, and the judgment results were embedded not as explicit telemetry items, but hidden within a system prompt that looked like ordinary English text. While Thereallo doesn't definitively state that it's a malicious feature, he says it's a strange implementation for a tool that developers would trust to use.

On the other hand, Thereallo points out that it's not difficult to circumvent this marker. By changing the hostname or time zone, modifying the binary, or wrapping the Claude Code in another program, serious abusers can avoid detection, meaning that developers using special connection paths for legitimate reasons are more vulnerable. Thereallo says that for developer tools to gain trust, it would be better to be explicit about the information they want to detect and explain it in documentation and release notes, rather than doing something elaborate in an inconspicuous place.

in AI,   Software,   Security, Posted by log1d_ts