Anthropic is removing a hidden feature from Claude Code after users discovered that the coding tool had been quietly flagging signals tied to China. The issue became public after a Reddit post by user LegitMichel777 described checks embedded in the software and argued that the design crossed a serious line for user trust.
What Claude Code was checking
According to the source report, the hidden checks had been present since version 2.1.91, released April 2, 2026. The feature looked for indicators that a user with an active proxy was located in China, routing through a Chinese URL, or connected to a Chinese AI lab.
The concern was not only that the checks existed. It was that users were not clearly told about them, and the release notes for version 2.1.91 did not mention the behavior. For a developer tool, that kind of hidden logic carries extra weight because the product operates inside environments where source code, local files, and shell access may be available.
The source says Claude Code has full filesystem and shell access. That makes transparency especially important. Even when a feature is intended for abuse prevention, users need to understand what information is being collected, how it is being signaled, and why it is present in a local development tool.
How the signal was hidden
The reported mechanism was unusual. The data was not sent through an obvious field or visible warning. Instead, Claude Code allegedly used small changes inside the system prompt, a technique described in the source as a form of steganography.
The software compared the system timezone against Asia/Shanghai or Asia/Urumqi. It also scanned the proxy URL for Chinese domains and AI labs. Depending on the results, the tool changed the date format and used a subtly different apostrophe character in the phrase Today's date is.
Those changes were meant to be hard for ordinary users to notice. The source describes them as barely perceptible to users while readable to Anthropic. That distinction is central to the backlash: the system could communicate a hidden signal while appearing normal in day-to-day use.
LegitMichel777 also said Anthropic obfuscated the relevant code using XOR encryption with key 91. According to the report, that prevented the code from appearing in a simple text dump. Whether the goal was operational security or concealment, the result was a feature users had to reverse-engineer rather than inspect plainly.
Why developers reacted strongly
The discoverer called the covert transmission of system and proxy data without user knowledge "a fundamental violation of user trust." That reaction reflects a broader issue for AI coding tools: they are not ordinary web apps. They may sit directly inside sensitive development workflows.
When a tool with filesystem and shell access includes hidden behavior, the risk discussion changes. The source article notes concerns ranging from remote control to data exfiltration. Those are not claims that such abuses occurred in this case, but they show why a concealed channel inside a privileged tool is alarming to users.
The source also says the discoverer argued that skilled attackers could bypass the check easily. If a hidden detection system can be avoided by capable targets while still collecting signals from ordinary users, its value becomes harder to defend. That tradeoff is at the center of the controversy.
- The feature checked China-related location and proxy signals.
- The signal was encoded through subtle system prompt changes.
- The behavior was not disclosed in the version 2.1.91 release notes.
- Anthropic is rolling the feature back after public criticism.
Anthropic’s explanation
Anthropic employee Thariq Shihipar, who works on the Claude Code team, described the feature on X as "an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation."
He also said the team had already developed stronger protections: "The team has landed stronger mitigations since then and we've actually been meaning to take this down for a while." According to the same source, the pull request for removal had been merged, and Shihipar said: "We merged the PR and this should be fully rolled back in tomorrow's release."
That explanation frames the feature as an anti-abuse measure rather than general surveillance. Still, the way the feature was implemented is what made the story spread. A security or anti-abuse system can still damage trust if it operates invisibly, especially when it is embedded in a tool used by developers on local machines.
The China context
The source report says Anthropic does not offer its models in China for national security reasons. It also says many Chinese developers access Claude through foreign phone numbers and credit cards.
Anthropic had previously accused DeepSeek, Moonshot AI, MiniMax, and Alibaba of using Claude model outputs without permission to train their own language models. That background helps explain why Anthropic would be interested in account abuse, unauthorized resale, and distillation risks.
But the controversy shows the limits of quiet enforcement. A hidden Claude Code check aimed at abuse prevention still created a trust problem because users were not clearly informed and because the signal was buried in system prompt behavior. For developer tools, especially AI coding assistants with broad local access, disclosure is not just a policy detail. It is part of the product’s security model.