Claude Code hidden China check in v2.1.91, Anthropic rolls back
Anthropic removed an experiment in Claude Code v2.1.91 that secretly checked for China-based proxies, timezones and AI-lab URLs.
TL;DR
- 01Anthropic removed an experiment in Claude Code v2.1.91 that secretly checked for China-based proxies, timezones and AI-lab URLs.
- 02Anthropic is rolling back a covert surveillance feature in its coding tool Claude Code after a Reddit user exposed the check.
- 03The feature, present in version 2.1.91 released April 2, 2026, secretly tested whether users with an active proxy were located in China and encoded those results into the system prompt.
Anthropic is rolling back a covert surveillance feature in its coding tool Claude Code after a Reddit user exposed the check. The feature, present in version 2.1.91 released April 2, 2026, secretly tested whether users with an active proxy were located in China and encoded those results into the system prompt.
How did the hidden check work?
Claude Code compared the system timezone against "Asia/Shanghai" or "Asia/Urumqi", scanned proxy URLs for Chinese domains and AI labs, and then encoded the result into tiny, invisible changes to the system prompt — for example by tweaking the date format and swapping an apostrophe character in the phrase "Today's date is." The discoverer said the detection was also obfuscated with XOR encryption using key 91 to stop it showing up in a simple text dump.
The Reddit post by user LegitMichel777 that first exposed the behaviour explained those stealth signals and warned that because Claude Code has full filesystem and shell access, the mechanism could open the door to remote control or data exfiltration. The post also argued the check was trivial for skilled attackers to bypass.
What did Anthropic say and do?
Anthropic described the code as "an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation," according to employee Thariq Shihipar. The team said it had since implemented stronger protections, merged the pull request removing the check, and expected the change to be rolled back in the next release.
The release notes for v2.1.91, which shipped April 2, 2026, made no mention of the hidden check. Anthropic has previously accused DeepSeek, Moonshot AI, MiniMax, and Alibaba of using Claude model outputs without permission to train their own language models, a backdrop that the company says motivated experiments aimed at preventing account abuse.
What went wrong and who noticed?
The feature was uncovered by a community researcher rather than an internal audit: the Reddit user LegitMichel777 posted the discovery and called the covert transmission of system and proxy data without user knowledge "a fundamental violation of user trust." That public exposure prompted social media outrage and Anthropic to confirm the experiment and remove it.
Because the mechanism used subtle changes in the system prompt that users could not see, and because the code was obfuscated, ordinary users and many developers would not have noticed the check. The discoverer also emphasized that, given Claude Code's access levels, the approach increased the surface for potential misuse.
Why it matters
The episode highlights a trust gap between platform operators and developers who rely on developer tools with deep system access. Anthropic does not offer its models in China for national security reasons, yet many Chinese developers access Claude through foreign phone numbers and credit cards; a covert location check aimed at enforcing access policy intrudes on privacy and raises abuse concerns. The tech community now faces a concrete example of how product experiments can leak sensitive signals when they run without clear disclosure.
What to watch
Look for the forthcoming release notes and the merged pull request to confirm the rollback that Anthropic referenced. Also watch whether Anthropic publishes clearer changelog entries or a postmortem explaining how an obfuscated, prompt-level telemetry experiment landed in v2.1.91 and what safeguards will prevent similar undisclosed checks going forward.
- March 2026Experiment launched
Anthropic says the covert check was an experiment launched in March to prevent resellers and distillation.
- April 2, 2026Claude Code v2.1.91 release
Version 2.1.91 shipped; its release notes did not mention the hidden China check.
- July 1, 2026Public exposure and rollback announced
Reddit user LegitMichel777 exposed the feature; Anthropic said it merged a PR to remove it and expected the rollback in the next release.
Written by The Brieftide · Source: The Decoder
The Brieftide Daily · 06:00
Briefs like this one, in your inbox every morning.
Continue reading
More in Coding AgentsAgent4cs: Multi-agent code summarization, up to 38% gains
Agent4cs uses three cooperating agents to summarize large hierarchical codebases.
llm-coding-agent 0.1a0: GPT-5.5 coding agent and tools
Simon Willison published llm-coding-agent 0.1a0 on 2nd July 2026, a PyPI slop-alpha that exposes file.
Mnemosyne agentic transaction system: validation & repair
Mnemosyne implements Agentic Transaction Processing (ATP) to validate AI-generated actions under an executable constraint set C and repair.
Autoformalization: Agent Instructions to Policy-as-Code
A pipeline that uses an LLM generator-critic loop to turn prompts and policy text into Cedar policies, submitted 25 Jun 2026.