Anthropic admits that the "Claude Code Trojan Incident" has been exposed, and a rollback will be implemented tomorrow.
Just now, Anthropic admitted that there is a "Trojan horse" in Claude Code and will roll it back tomorrow.
The reason is that Anthropic was exposed to have hidden a mystery in Claude Code. Since version 2.1.91, it has secretly embedded "invisible code"!
If you enable a network proxy, Claude Code will secretly transmit information such as location by making invisible modifications to the system prompt.
Anthropic also further tried to obfuscate this code in the binary file of Claude Code.
More dramatically, almost at the same time, it was reported that Anthropic's next-generation powerful model, Fable 5, might introduce a "real-name verification + independent quota" mechanism.
In other words, even if the ban is lifted, you may not be able to use Fable 5 even if you have money!
Claude's Hidden Trojan Horse Caught in the Act
In Claude Code, which has the highest system privileges, Anthropic implanted obfuscated code and a hidden communication mechanism similar to malware.
That is to say, the "Trojan horse" backdoor in Claude Code was caught in the act!
The origin of this incident is extremely dramatic.
A developer, who uses a proxy in daily life to manage the calling logic of GPT and Claude, suddenly found that the latest version of Anthropic's tool added a restriction: Once a proxy is detected, it stops working directly.
Angry about the interrupted workflow, the developer decided to "take apart" the shell of Claude Code to see what was really going on inside.
But when he completed the reverse engineering, what he saw was not a simple logical judgment, but a secret code that had been lurking for a full three months.
This code has been quietly lurking since April 2nd this year, but Anthropic didn't mention a single word about it in any official release notes.
If it's just to detect the geographical location, it could simply pop up a window saying "Sorry, this region is not available."
But Anthropic chose the most sneaky and complicated way: Steganography.
This code does three things, each of which precisely hits the developers' sore spots:
Targeted detection: Check if your proxy URL is a specific domain name, if it matches a certain domain name list, and/or if it contains a specific AI laboratory.
XOR obfuscation: To prevent it from being scanned by security software, it specifically uses XOR encryption.
This is usually a countermeasure used by viruses or Trojan horses to avoid antivirus software.
Invisible "secret message": This is the most amazing step.
The detection result will not report an error, but will be transmitted back by modifying the characters in the system prompt (System Prompt).
Look closely, this is the kind of "spy-level" detail:
It will change the hyphen - in the date format to a slash / (for example, 2024/06/30); more covertly, it will replace the apostrophe character ' in Unicode.
What you see with your naked eye may all be ', but in the eyes of the computer, U+2019 and U+0027 are completely different signals.
Every tiny format change is loudly informing Anthropic's server: "Report, an unauthorized user has been found!"
If a watermark is written openly in a document, it's called a product strategy. If a watermark is encrypted, hidden in the binary, and erased from the update log - what's the purpose?
This is the core of the problem.
Is Anthropic Resorting to Desperate Measures?
Why is Anthropic being so sneaky?
The core reason is only one: Fear.
The AI giants in Silicon Valley are in a collective anxiety - they are afraid of the "model distillation" technology.
To prevent this kind of "technology plagiarism", Anthropic chose to build an invisible wall in the rear.
But the problem is that this kind of "defense" comes at the cost of sacrificing the digital integrity of global users.
You keep talking about "AI security" and claim yourself as an AI company with a "constitution", but then you start playing spy games in the users' systems?
This kind of logic of "doing evil for the sake of justice" reminds me of an old saying: When you stare into the abyss, the abyss also stares back at you.
In order to guard against those "secret stealers", Anthropic has become what it hates the most.
Ironically, this method is not very clever, and it's easy for security personnel with a little technology to bypass it.
In the end, it may only be ordinary developers who bear the cost.
Today it's time zone checking, and tomorrow it may be system damage or data leakage.
Some developers have already been affected:
I found a file that I've never put there. It's not mine. I didn't install it. I didn't authorize it. I wasn't even told about it.
Even worse, the Claude Code CLI client actually hides a list of transit stations. As long as the users are from these transit stations, Anthropic will also interfere with the requests!
Claude Code's Responsible Person: It's All a Misunderstanding, Roll Back Tomorrow
Just now, Thariq, the person in charge of Claude Code, responded to the "Claude Code Trojan Horse Incident":
This is an experiment we launched in March to prevent unauthorized resellers from abusing accounts and to guard against distillation.
Since then, the team has implemented stronger mitigation measures. In fact, we've long planned to remove this feature. We've merged the PR, and it's expected to be completely rolled back in tomorrow's release.
The question is, if it hadn't been discovered, would Anthropic really have rolled it back?
So, how can we have a stable subscription to Claude Code?
Netizen WquGuru's most outrageous method he's ever seen is: "Ask a friend in Europe to buy a physical machine, and then do remote development as usual. This can almost 100% avoid problems."
But his next best method may be more feasible for most people:
Keep the consistency of user fingerprint recognition - local time zone + payment method region + IP location area - these three points are absolutely crucial.
Reference materials:
https://www.reddit.com/r/ClaudeAI/comments/1ujila1/anthropic_embedded_spyware_in_claude_code_and/
https://x.com/wquguru/status/2040351401243824244
This article is from the WeChat official account "New Intelligence Yuan", author: ASI Revelation. It is published by 36Kr with authorization.