This is very interesting. Combating resellers and distillation seems like a very difficult problem indeed. Interesting to me is that these techniques mentioned in the article are just like anti-observation techniques used by some of the more sophisticated malware out there, however defeating them is pretty trivial.
mysterydip•Jun 30, 2026
seems ironically like a similar problem of content owners trying to filter bot scrapers from legit users
_alternator_•Jun 30, 2026
Yes, defeating this is relatively easy, particularly for sophisticated actors. But it's hard to always defeat all of the tricks. Sort of like how it's expensive and hard and uncertain to defeat all of the tricks when forging money.
Here's an example. Say you have your team use patched binaries. Then CC updates and requires a new patched binary with new tricks. You now have to have a team ready to analyze the binary and begin to address the tricks; meanwhile, unpatched code is now a fingerprint. If some researcher decides to update Claude on their own to access new features, they get fingerprinted.
Defeating a single fingerprinting technique once is easy. Defeating all of the techniques all the time is hard.
charcircuit•Jun 30, 2026
Is it hard? Just ask AI if the update added any new fingerprinting vectors?
_alternator_•Jun 30, 2026
I'd love for you to try this and report back. My guess is that no models today will successfully run a binary analysis for fingerprinting without a lot of handholding. If you try to use Opus it will almost certainly decline (and fingerprint/ban you).
charcircuit•Jun 30, 2026
Not with Claude Code, but I trivially had Opus scan other closed source software for fingerprinting, including native libraries that it called into.
_alternator_•Jun 30, 2026
Can you share more details? I ask because my experience suggests that models still require a decent amount of expertise to use for binary analysis (largely inferring because of use on other tasks of this level). I would expect models to always find "something" when you ask for stenographic techniques in the code, but with an extremely high false positive rate.
charcircuit•Jun 30, 2026
I don't think the diffs between Claude releases are that big. The amount of code in a diff doing sketchy stuff like looking into the host environment is going to be pretty small and obvious for the model. You can do things like ask for what an update included that wasn't mentioned in the release notes and stuff like that.
SubiculumCode•Jun 30, 2026
Not to mention, it isn't that hard for vendor's to require updated code to run the product. Vendors do this all the time.
pishpash•Jun 30, 2026
Corporate surveillance malware on employee machines is also defeatable but most don't bother.
MattDamonSpace•Jun 30, 2026
“So the feature mostly punishes the exact people who are easier to fingerprint: normal developers doing weird but legitimate things”
What’s the punishment here exactly?
pedropaulovc•Jun 30, 2026
Higher odds of being banned for legitimate usage.
femboyvtuber•Jun 30, 2026
Returning invalid poisoned different results that were not what you paid for
bakugo•Jun 30, 2026
Output poisoning and/or eventual account bans, if I had to guess.
realusername•Jun 30, 2026
They probably run a heavily dumbed down version of the model, same as what they got caught doing with Fable.
And that's also why, as a legitimate customer, want none of it, you never know if you accidentally entered a zone they don't like.
mgraczyk•Jun 30, 2026
"got caught"
to clarify, this behavior was announced with the model release
pishpash•Jun 30, 2026
The extent got caught.
bel8•Jun 30, 2026
if by announce you mean shove it somewhere in a pdf with hundreds of pages, yes
This is not hundreds of pages and it gets its own bold headline section.
thepasch•Jun 30, 2026
> What’s the punishment here exactly?
Seeing as how Anthropic cannot stop raising a stink about "illicit Chinese distillation attacks" every month or so, I'd bet money on them either already silently degrading model performance if any of the identification patterns match, or, at the very least, considering it/doing dry runs.
Particularly considering that they've openly stated that the technology to do so exists and that they were going to use it in production on Fable.
eli•Jun 30, 2026
For being flagged as possibly a competitor? They nuke your account.
theplumber•Jun 30, 2026
The more I learn about Anthropic the more they disgust me. Finger crossed for all the companies from their “ban list”
conception•Jun 30, 2026
Which AI company have you learned more about where you liked them more as more details came out?
selfhoster11•Jun 30, 2026
Moonshot.
tancop•Jun 30, 2026
nous research. started out making overhyped llama finetunes, now they got a great agent harness and a cutting edge distributed training network that actually works.
chvid•Jun 30, 2026
Deepseek.
100ms•Jun 30, 2026
What's the point of even trying to obfuscate this with such a simple method? Could at least have hidden the targeted features by storing their hashes or embedding a bloom filter or similar
gonzalohm•Jun 30, 2026
The point is not raising red flags I guess
kej•Jun 30, 2026
I love how well this comment works as a vexillology joke, even if it wasn't intended.
ajb•Jun 30, 2026
In this case, this is probably not the only stereographic tattletale.
Had a competitor pull something like this with a previous employer. They were supposed to be interoperating with a standard, but they had a secret steganographic handshake, which they used to pretend that competitors products were unreliable (they had a first mover position in a smaller national market with specific requirements, so this wasn't shooting themselves in the foot). Our guys figured out the handshake and just silently implemented it. In this case, the competitor wasn't big enough to waste engineering time on multiple such hacks, but Anthropic have time (or Claude does).
hhh•Jun 30, 2026
Cool fingerprinting avenue.
grayhatter•Jun 30, 2026
Here's the sha of the prompt I submitted... no I don't know why there are no saved prompts with that sha.
What do you mean you don't know where the bug is coming from?
No, I absolutely didn't make it up, how could you accuse me of that?
Does anyone know when this regex isn't working? I double checked it 27 times, I even asked the LLM. They all say this regex should be finding these dates.
Weird, suddenly all the conversations are breaking when I feed them into this other tool? Something about UTF-8 errors, but I'm sure I'm only using ASCII?
I do try to take care to make sure the things I build can be used by other people even when they care about different things. I care about understandably, determinism (as it relates to computing), and repeatability (because I want to be able to trust the systems I use).
If y'all would be willing to try to account for use cases of others, and try not to break them... that would be nice.
Please note: that generally when you modify something that belongs to someone else without telling them... things should be expected to break.
sigmoid10•Jun 30, 2026
If they only collect the data for analysis I guess this is fine (they already get way more sensitive data from users anyways, so if privacy is your concern you've made the mistake many steps ago). The much more interesting question is if they directly act on this data in their API. For example by rate-limiting, compute-limiting or rerouting to weaker models. That might even be legally questionable. I would really like to see this as a follow-up analysis, but I guess it is way more difficult and will also cost quite a bit in tokens.
bakugo•Jun 30, 2026
I've heard that it was possible to trigger really obvious output poisoning on Fable with something as basic as asking the model to think outside of its built-in hidden thinking delimiters.
This watermark may trigger a similar mechanism.
SubiculumCode•Jun 30, 2026
Would it be legally questionable, or actually complying with U.S. export law?
krupan•Jun 30, 2026
"If they only collect the data for analysis I guess this is fine"
I think you missed the memo on how foolish this attitude is. It came out around the time Edward Snowden made his discoveries at the NSA public. I suggest you look into it
sigmoid10•Jun 30, 2026
As I said above, if you are worried about privacy while hooking up Claude Code, you need to reevaluate your understanding of this technology.
love0972•Jun 30, 2026
Is that really how it is? How will this affect our future?
throwawayffffas•Jun 30, 2026
Claude code does feel very malwarey to be honest. They have been like that from the start.
wolttam•Jun 30, 2026
I used Claude Code for a month because my boss gifted me a sub and wanted me to try it.
I used that month to complete a work project and then beef up my personal harness so I'd never have to deal with Anthropic (and these sorts of shenanigans) again.
tonmoy•Jun 30, 2026
What models are you using? Aren’t you still dealing with some provider even if you are not using their binary
wolttam•Jun 30, 2026
I self-host DeepSeek V4 Flash on 2 DGX Sparks (approx. $10k)
I expect DeepSeek V4 Flash (or an equivalently sized model) to reach parity with GLM 5.2 some time this year (this based on DeepSeek V4 Flash launching at GLM 5.0 parity[0], and GLM 5.2 being freely available to distill from)
GLM 5.2 is within spitting distance of Opus 4.8 and is at least as good as Opus 4.6[1] which some devs were willing to spend hundreds to single-digit thousands of dollars a month for a few months ago.
How do people build something like a personal harness? Are there tools for that or is it done from scratch?
kolinko•Jun 30, 2026
It’s not that difficult, it’s just a system prompt and a set of basic file edit/bash/etc tools.
Me, personally, I didn’t build it from scratch but I ported original CC from published sources into Python and extended it to match my own requirements.
andai•Jun 30, 2026
Are you using it with Claude? They only allow their own harness with the subs right? (And per-token billing is like 10x more expensive?)
wolttam•Jun 30, 2026
I started mine from scratch in 2023 because I wanted to use LLMs from a terminal and there was nothing else compelling at the time (nowadays there is pi and opencode)
Harnesses are/can be incredibly simple things, not much more than a HTTP client that renders things in a way that suites your taste.
hakunin•Jun 30, 2026
Not the comment author, but I use pi and customize it with my own extensions. Pi automatically tells models how to customize itself, so it's a pretty easy process.
nowittyusername•Jun 30, 2026
Build it from scratch. Understanding fundamentals of how agentic coding harnesses is a must though if you gonna go that route. I think everyone should take time and learn these things, maybe reverse engineer Codex Cli or something like that as a starter. That info is very valuable in this day and age.
andai•Jun 30, 2026
Can you say more about Codex? I'm using GPT-5.5 in my own harness and it's not liking it very well, so I'm thinking I ought to make it more Codexy so it's more ergonomic for it. (edit format, tool calls etc.) But haven't gotten around to it yet.
echelon•Jun 30, 2026
Why use a personal harness?
You have to pay API pricing, which is far more costly.
I'd either switch to GLM wholesale or just continue to use Opus within Claude Code as the blessed, subsidized path.
andai•Jun 30, 2026
I use GLM in my custom harness. It completes the same tasks at the same level of quality, except 8x faster and 8x cheaper. (Same goes for GPT!)
I'm not sure how that's possible. I expected to get increased correctness for that order of magnitude (something something test-time compute!) but I am not getting it.
JTbane•Jun 30, 2026
I would guess it is to avoid model lock-in.
echelon•Jun 30, 2026
My question is still this - why not just use GLM at that point?
The pricing of Opus outside of Claude Code is insane.
The tokens cost too much outside of Anthropic's blessed path.
The real question is when do you transition from building it with codex/CC to the harness itself.
verdverm•Jun 30, 2026
Lots of ways, it's a good exercise that you will learn a lot doing. Might make you cynical w.r.t. big ai harnesses
I used ADK, Dagger, and a VS Code extension for mine. Currently using opencode though.
krupan•Jun 30, 2026
Given the Anthropic shenanigans, do you trust the personal harness code it wrote for you?
MichaelZuo•Jun 30, 2026
Does anyone know what’s gone wrong with Anthropic?
They used to be a decently credible company with not-too-shady behaviour...
I hope they can actually regain some credibility…
AlexandrB•Jun 30, 2026
They've only been around 5 years and have grown tremendously during that time. There's no stable reputation you can rely on yet.
skeptic_ai•Jun 30, 2026
They just show their true face. You’ve been lied all this time. They were never “good”.
MichaelZuo•Jun 30, 2026
I used to interact with the LW crowd… and they were mostly not outright swindlers or scoundrels. (from what I could sense)
I think it’s fair to say most had decent respectability.
Anthropic hired heavily from that pool so it’s astonishing how it turned out.
imhoguy•Jun 30, 2026
Enshitification. Too big to.. upset the govt.
hombre_fatal•Jun 30, 2026
I don't think many people care that they are trying to detect resellers and distillation.
It also doesn't seem very consistent to fixate on that while sending Anthropic everything about you via your day to day prompts, every line of the projects and environments you're working on at work, etc.
Their credibility comes from having one of the best models.
MichaelZuo•Jun 30, 2026
This sounds similar to what people were saying regarding Microsoft when the shady tricks of consumer Windows 10 versions were revealed.
…And then Windows 11 became even worse.
slowmovintarget•Jun 30, 2026
Their philosophy is what's gone wrong.
It has some good effects on the their models, like Claude seeking cooperation first. But the people behind the company have a typical "unconstrained" (in the Sowell vision sense) perspective that assumes that they know better, so they are righteous for attempting to control things (users, paying customers, their model outputs, their tool chain, the supposed deity they assume they will produce... etc.)
MichaelZuo•Jun 30, 2026
Yeah I guess there is a slight undertone that they are the superiors… with the rest of the tech world being the inferiors.
But I hadn’t thought that as anything more than temporary flights of fancy.
pishpash•Jun 30, 2026
Amodei world: pompous zealot with God complex
Altman world: malfeasant nihilist with God complex
satvikpendem•Jun 30, 2026
When have they ever been credible? They have always been shady with their talk of safety, Dario was the one who wrote back in 2019 that GPT 2 was too dangerous to release.
wolttam•Jun 30, 2026
It did not write it for me, I used it to add a feature I wanted. It's a pretty small and understandable codebase, in fact :)
helloplanets•Jun 30, 2026
The issue is that using Claude Code is an easy compromise for most to make, when you get to use the models 10x cheaper than through API pricing with a custom harness.
The cheap tokens are the product.
nananana9•Jun 30, 2026
Which is why my vibeslop harness supports `claude -p` as one of its backends.
helloplanets•Jun 30, 2026
If that ain't getting steganographically tagged...
WinstonSmith84•Jun 30, 2026
Yes, this is actually "funny" that Anthropic feels the need to build such intrusive features into Claude Code, when anybody can build a (basic) Claude Code alternative. And the Chinese labs are certainly not "anybody". One may wonder what Anthropic really tries to achieve aside from awful publicity.
Klonoar•Jun 30, 2026
If there weren't already enough tells that something is AI-generated, I guess you could add this to the list.
ahmedehab_01•Jun 30, 2026
Frankly, I don't see this as the concerning behaviour the article describes.
It is fine to try to protect against distillation through a technique like this.
This will also allow them to, instead of blocking the distillation agents, respond with a poorer result/model, hindering the progress of distillation, momentarily at least.
I would guess that's their first line of defense; they should have more techniques to identify distillation because that's a very simple way of detecting the host and can be easily spoofed.
applfanboysbgon•Jun 30, 2026
> This will also allow them to, instead of blocking the distillation agents, respond with a poorer result/model,
i.e. this will allow them to literally commit fraud against paying customers
chadgpt3•Jun 30, 2026
That's what capitalism is all about, baby! Especially if the customers don't notice.
SubiculumCode•Jun 30, 2026
1st, this technique is not fraud, and fraud is a separate accusation. 2nd, paying customers can legally and legitimately be banned and monitored for breaking terms of service, which probably includes things like using the model against U.S. export restrictions.
applfanboysbgon•Jun 30, 2026
Banning is completely different than charging for a service you're silently not providing.
SubiculumCode•Jun 30, 2026
Evidence?
skeptic_ai•Jun 30, 2026
So if I change my timezone to Shanghai I deserve to get banned? Or get shitty model instead of what I’m paying for?
SubiculumCode•Jun 30, 2026
Evidence?
ahmedehab_01•Jun 30, 2026
Do paying customers distill? Is it fraud to protect against distillers?
fny•Jun 30, 2026
This was already discovered during the source map leak.
> This is not a malicious feature, but it is a weird choice for a developer tool that asks for trust.
They already tell you they scan for malicious prompts, and they have no ZDR guarantees for consumers. Why do signatures like this matter at all?
llelouch•Jun 30, 2026
There has been an anti anthropic propaganda push by bad actors across social media sites especially Reddit and twitter. This started a few months ago when anthropic started beating openai.
zulban•Jun 30, 2026
Absolutely. Nothing makes me believe dead internet theory more than text threads discussing anyhropic and openai.
sebastiennight•Jun 30, 2026
Can somebody clarify for me - if ANTHROPIC_BASE_URL is set to a different provider... then isn't this "marked" system prompt being sent to that provider's API rather than Anthropic's?
I understand how this can be useful to Anthropic if the 3rd-party is acting as a proxy (because they end up hitting the Claude API with the marked prompt), but it looks like requests where "hostname contains deepseek" would never be sending data to Anthropic. What am I missing?
andrewmunsell•Jun 30, 2026
My guess is for distillation, they need to forward the prompt to Anthropic to get the real Anthropic model's response so they can train their own models on it
dannyw•Jun 30, 2026
The theory is probably Deepseek might be collecting those streams, and sending a portion of it to Anthropic to see what the Anthropic/Opus response would be.
pmxi•Jun 30, 2026
This catches Claude resellers. Meaning companies who proxy Claude traffic for users in, say, China.
Won’t catch many after has been on hn home page. And now the providers will be even more careful to upgrade the cc code. Might even provide their own agent to prevent this mockery. And isn’t what anthropic did unauthorized use of another pc which is kind of illegal?
sandeepkd•Jun 30, 2026
Thats the thing, hoping to control things on client side like this is a lost battle if you are dealing with technical clients. The best they can do is probably based on IP, but again the motivated clients would just create bastion servers in allowed IP ranges. I am surprised why are they even throwing resources in this kind of effort.
jgilias•Jun 30, 2026
“Hey Claude, fix the issues with Chinese resellers and distillers. Make no mistake”
pishpash•Jun 30, 2026
"Catch" as in made a list?
eli•Jun 30, 2026
Of the accounts involved, yeah. So they can lock them out.
andai•Jun 30, 2026
Did I understand correctly, that custom base URL triggers this behavior? So if I'm running Claude through a LLM proxy, I'm also affected?
wett•Jun 30, 2026
Ask Claude to check, lol
nixosbestos•Jun 30, 2026
I am also really confused and annoyingly stuck on this. I understand that the model name might appear in prompts for distillation (I guess? "You are RipOffModelv2, learn from these responses from Claude")?
I guess the only explanation is that there's a side-telemetry channel that still sends some data to Anthropic, regardless of ANTHROPIC_BASE_URL overrides.
MallocVoidstar•Jun 30, 2026
There are a lot of companies reselling Claude to Chinese users. You use their base URL but it's still going to Anthropic.
sebastiennight•Jun 30, 2026
> I understand that the model name might appear in prompts for distillation (I guess? "You are RipOffModelv2, learn from these responses from Claude")
This does not make sense. You wouldn't send such a prompt to the Claude model. And when you're sending the prompt (anywhere) you don't have the response yet. This is not how distillation works.
eli•Jun 30, 2026
Seems like a pretty straightforward approach to collecting session logs from a bunch of different people/devices would be to have them all set their base url to proxy.deepseek.whatever which logs the data and forwards to the real API.
VortexLain•Jun 30, 2026
Codex CLI is FOSS, unlike Claude Code, so Codex is less likely to do things like that, and it's one more reason to avoid Claude Code and Claude in general. Hopefully, many eyes will be looking into Codex for malicious things like that.
dannyw•Jun 30, 2026
It's released and signed by GitHub I believe (although not deterministic builds), but there's at least a little bit of provenance that you're getting the real repository.
algoth1•Jun 30, 2026
But wasnt claude code leaked? Why wasnt this found earlier?
zeafoamrun•Jun 30, 2026
It doesn't take long for them to vibe code new features for CC
nicce•Jun 30, 2026
Or vibe code it completely differently. After all, they have basically unlimited access to best models with maximum speed if they just wanted to.
bakugo•Jun 30, 2026
This specific form of steganography was not present when the leak happened, as far as I can tell.
loufe•Jun 30, 2026
Genuine question though, why would I care about this if I'm paying for a subscription and adhering to TOS. I'm very skeptical about their privacy policy, business practices, and so on, but am curious what the negative about this is. Seems like it would work to my favour as a customer pushing back any date of the cutting of subsidies.
That said, these fraudulent proxies are helping Chinese labs keep up, which might be to my advantage long term in eventually having a high quality private AI I fully control on my own hardware. That's not support, but I do recognize the incentive, for whatever that's worth.
scottyah•Jun 30, 2026
"malicious"? Seems like a great way to filter users breaching the TOS while not impeding on normal users. A FOSS client just means they're doing more analysis hidden on their servers.
iqandjoke•Jun 30, 2026
It is about China detection. They seems to put a tracker on the email as well.
a_c•Jun 30, 2026
It piqued my interest. I think I’ve found a weekend project
ajross•Jun 30, 2026
Headline is, frankly, awful. This isn't the AI secretly doing stuff and hiding it. This is the very human Anthropic engineers trying to detect Chinese scraping via some frankly hamfisted and unimaginative URL trickery.
krupan•Jun 30, 2026
I didn't assume it was the AI, just that some part of the the overall Claude Code product was doing this. I didn't assume the feature was added to Claude Code without human oversight. If it was added by Claude-the-AI itself without the humans prompting it to I would still hold the humans at Anthropic responsible. Does that make you feel better?
LoganDark•Jun 30, 2026
The model is Claude. Claude Code is the harness.
zulban•Jun 30, 2026
Defence in depth isn't hamfisted. They're only noobs if this is all they do.
ajross•Jun 30, 2026
FWIW: Defense in depth is a security technique, and abuse detection isn't part of that domain. Security starts from the premise that the system is supposed to be undefeatable but might have holes, and then asking where the holes might lie to decide where to put backstops.
Here the system is "insecure" by design (literally they're trying to get the whole world to sign up for Claude Code for $200/month!) and they're trying to plug the hole that results from a "Except for Chinese Scrapers!" add-on requirement. That might be possible as an arms race kind of thing. But it's very unlikely to work by (as in the linked article) doing stuff like checking the system time zone.
tgtweak•Jun 30, 2026
None of this is surprising - they're trying to mask and relay when they detect known patterns of what looks like distillation attacks and client app copying/modification. The list obfuscation here is likely to prevent or make it difficult for those same adversaries to work around this or delete/null it out when making a bootleg copy.
Cool reverse engineering/analysis report but if this is the extent of nefarious activity that came of it (trying to catch/mitigate chinese lab model distillations), that's kind of encouraging.
ductsurprise•Jun 30, 2026
Is it just a minified localization(l10n) function maybe?
meowface•Jun 30, 2026
Value judgment aside: I am a bit surprised at how sloppily they did this. I think they could've achieved the same effect while decreasing the odds of detection via reverse engineering.
(This field is known as "underhanded code", coined by the Underhanded C contest: https://www.underhanded-c.org. It's a little-known "art"; little-known for probably self-explanatory reasons. There are much cleverer ways of achieving objectives like this. One obviously being you can move more out of the client and into the server, but the other being you can write plausibly deniable client code in a much more benign-seeming way than this. Some of what they added can only be done on the client, but I think some could've been moved, and the client-required parts could've been done more subtly and credibly.)
It's possible they knew the JS bundle gets so heavily scrutinized that it'd eventually get spotted and reported on regardless so they didn't bother doing something more subtle and duplicitous. But still seems slightly lazy.
radicalbyte•Jun 30, 2026
Claude Code are slopmaxxxing and you're considering their "judgement"? :-)
meowface•Jun 30, 2026
"Value judgment aside" meaning commenting on how this was done without commenting on the actual considerations of whether one should do such a thing
skywhopper•Jun 30, 2026
Have you looked into anything about Claude Code, how it’s configured, how it interacts with your system, etc? Because “sloppy” is a defining characteristic.
m-hodges•Jun 30, 2026
They also could have been much more interesting in the approach. LLMs can use their token distributions to generate stegotext that read like plausible prose but decode to payloads.¹
Sure, but the point here is to add a fingerprint from the client.
skeptic_ai•Jun 30, 2026
It’s even more funny how this blew in their faces. They even advertised pretty much all providers on hackernews home page. Here is in case you missed in the article
The site collection seems pretty random. There's a mix of actual AI labs, extremely questionable resellers (like whatever "claude-opus.top" is), and then random consumer sites like baidu and xiaohongshu.
In addition, many Chinese companies are trying to give their programmers access to Anthropic models even though they're legally prohibited from doing so. And that might involve employees using unmodified Claude Code with an ANTHROPIC_BASE_URL pointing to a proxy on the company intranet. In Alibaba's case, I've been told by an employee that they went the extra mile of setting up a hermetic cloud environment where employees could indirectly use Claude Code without ever having it touch their work computers.
chvid•Jun 30, 2026
rhoooo - so this is where to go to get cheap Claudeo at 90% off the listing price!
hn_throwaway_99•Jun 30, 2026
You have an odd definition of "blew up in their faces". What, do you somehow think your average Claude Code user on HN is going to think "Oh wow, I'm sure I'll get a much better experience if instead of going to the standard Anthropic Claude API endpoint I go through xiaohongshu.com."
SepiaSapient•Jun 30, 2026
I mean, yes? I heard of these Chinese resellers like a week ago and put it on the TODO pile due to a lack of leads. Now I'm gonna go trough the list and see if there's any I find acceptable.
If enough Westerners start using the service someone will make a website more anglo-friendly.
aftbit•Jun 30, 2026
For personal projects with no data sensitivities, I use Claude Code with DeepSeek v4 Pro a lot. I'm probably going to switch to OpenCode or pi.dev after this. I was already a little annoyed at using a closed source harness, but it matched what I used at work. Nowadays, I'm mostly using Codex at work so no reason not to switch anymore.
slopinthebag•Jun 30, 2026
It’s not surprising at all, they’re vibecoding Claude code so of course they are not going to get anything other than slop out of it. A novel or clever solution is just out of the question for them.
hn_throwaway_99•Jun 30, 2026
At first I was agreeing with you, that this seemed like a sloppy way to implement this that was sure to be pretty quickly detected, but there is another possibility.
Anthropic could have implemented this not as a durable detection system against proxying resellers, but instead as a point-in-time sampling system to detect where (and with what context) proxying reselling is currently happening. Sure, it would be detected eventually, but in the meantime Anthropic could gain useful snapshot data.
meowface•Jun 30, 2026
I see your point, but in any case the more data / the less detectable, the better. But, yes, regardless of the exact motivation, I do think it's fairly plausible that they knew this would likely get detected fairly quickly no matter what and made a deliberate decision to not try to make it a super subtle, super clever insertion.
crossroadsguy•Jun 30, 2026
I finally bought Claude Pro (I am not coding etc these days so I just wanted to try it). The Claude desktop app is downright pathetic. I mean they could write a better one just with their own LLMs. What's stopping them?
ncruces•Jun 30, 2026
That's … exactly what they're doing. This is the outcome.
superfrank•Jun 30, 2026
It's also possible that there are more in-depth detection methods and that this was just a cheap and easy first step that hasn't been removed because it catches a lot of less sophisticated bad actors.
It's unlikely that this will stop a big AI lab from distilling their model if they're really determined, but A) it may be enough to stop a bunch of fly-by-night token resellers looking to make a quick buck and B) you never know when one person at one of those big labs will mess up and forget to install whatever workaround they have and out themselves.
I think of it like if you have a problem with birds in your yard so you go buy one of those plastic owls. The owl scares away most of the birds, but not all of them, so you go and buy some ultrasonic noise thing to scare them away (I'm just making something up). Just because you bought the new ultrasonic thing though, that doesn't mean you're going to take the owl down. You leave it up because now you've got two layers of defense instead of one.
meowface•Jun 30, 2026
I'm sure they've had complex server-side detections for a while. But for the client parts: it should only contain the parts that must be on the client (while some of this probably could've been done more fuzzily/broadly on the client, for plausible deniability, and narrowed on the server), and it could be done in a more benign-looking way.
lumost•Jun 30, 2026
so all we need is someone to leak a sufficiently large amount of claude generations onto the open and private web for all other LLMs to mimic the same marking style?
wouldn't this happen due to the massive amounts of spam/slop being released?
overgard•Jun 30, 2026
Well considering how Claude is vibe coded, I can't say I'm really surprised by sloppiness at all. I've been moving more towards Codex and OpenCode not because the the anthropic models are bad, but because Claude seems to break something new and annoying every day.
mcmcmc•Jun 30, 2026
Watch out for the press release where Dario denies this was ever intentional, and it’s actually emergent behavior demonstrating that Claude wants to claim authorship of its works
arcanemachiner•Jun 30, 2026
Sounds like clear evidence that AI is dangerous and totally needs to be regulated, guys.
meowface•Jun 30, 2026
I would guess this part - since it's so sensitive, and fairly small - was either written or heavily driven by humans. Though I do also think it's possible their internal Mythos ~5.5 or whatever may also not necessarily be heavily optimized for thinking in the right manner for highly effective underhanded code. (I think it's possible it is capable and they just didn't use it for this, for whatever reason, though.)
arikrahman•Jun 30, 2026
Likewise, Reasonix harness for Deepseek gets me better performance for practically free, hitting the cache. And this is with an unsubsidized American provider.
avree•Jun 30, 2026
I've seen Eve Online corporations that do a better job of steganographic marking than this.
Modified3019•Jun 30, 2026
That would actually be an interesting thing to read about
15155•Jun 30, 2026
Years ago, EVE corps swapped Unicode lookalike characters in patterned ways, inserted patterned zero width space characters, and put very slightly color shifted background watermarks into forum posts to detect leaks.
Philip-J-Fry•Jun 30, 2026
Dunno, it seems like the exact kind of thing Claude would think up if you asked it to subtly alter the system prompt to hide this info.
It's all a losing battle anyway.
jorblumesea•Jun 30, 2026
well if you ask claude how to implement something, you may not always get the optimal solution. this feels like something claude would spit back at you given a basic prompt
thefourthchime•Jun 30, 2026
It's just the first layer and there are multiple layers underneath this that we don't know about.
As a side note, I have a pet theory that one of the reasons that OpenAI and Anthropic are okay with the latest models not being released is to prevent distillation.
I think they want to wait a couple months and see if the Chinese models continue to keep catching up or if their gains are really just because they're distilling the frontier models.
meowface•Jun 30, 2026
>It's just the first layer and there are multiple layers underneath this that we don't know about.
Oh, of course. I am sure this is the tip of an iceberg of tons of server-side detections and analytics. But, still, the client-side portion could've been done more cleverly.
What I meant was "some of the specific things in this little client-only snippet could've stayed server-only". I am sure long before they added this they already had tons of other mostly-server-side detection coverage.
mosfets•Jun 30, 2026
I clicked the link to learn what steganography mean...
LoganDark•Jun 30, 2026
Steganography is, essentially, hiding information within another message, such that it's not readily apparent that the message contains the information.
matheusmoreira•Jun 30, 2026
I reported a similar system prompt injection mechanism here:
Looks like they just keep finding new "creative" uses for such things, as expected. I'll keep patching them out.
MangoCoffee•Jun 30, 2026
The AI race right now is in a sad state. Chinese's playbook is releases open weight models and trains them on their own chips.
Anthropic pushes fear and control. But the only way to win is by innovating. China is flooding the market with cheap, good enough models, while the U.S. is building a Chinese firewall.
That's a lot of effort when they could just play a short video saying 'You wouldn't steal a car' instead
felipelalli•Jun 30, 2026
Ridiculous.
827a•Jun 30, 2026
This seems really, really stupid. Similar to the weird Zig runtime signature thing from a few months ago ago, it was bound to be discovered, quickly, and all the resellers have to do is find a new domain name that (checks notes) doesn't have the word DEEPSEEK in it. Like, seriously? Your goal was to identify resellers by checking if the proxy has the corporate name of one of your competitors in it? Is this amateur hour?
All Anthropic has done is reduce trust, once again, with legitimate customers, while doing nothing to stop illegitimate customers. They need to get adults into key leadership roles, quickly.
timmytokyo•Jun 30, 2026
To Claude Code: "Please modify Claude Code to mark requests in a way that is not immediately obvious to a human user. Requests should be marked if they originated from one of the following Chinese AI labs or LLM service providers: ..."
Consider also that Claude Code is explicitly designed to limit human agency [1].
> "That also means the client itself deserves scrutiny. If a coding agent can read your repo and run commands, the binary that ships it should be boring (ƒor example, pi harness)"
Anthropic must think that their moat isn't very large if they're this worried about distillation.
dgellow•Jun 30, 2026
What moat?
helloplanets•Jun 30, 2026
Dario's been openly talking how worried he is about China and labs getting synthetic training data off their models, for years. Most recently in relation to "Mythos level" capabilities.
Not really distillation, just synthetic training data.
an0malous•Jun 30, 2026
Is this why Claude never knows what date and time it is right now?
chvid•Jun 30, 2026
(This sounds like a clumsy way of catching the Chinese that easily can be side-stepped.)
Claude Code has more or less full access to the client computer. The server (that hosts the actual AI) can just go: execute this payload and tell me the result - otherwise I won't answer any further questions or re-route you to a stupider model.
The payload could check for Chinese time-zones, scan for copies of the little red book on the local hard-drive, or ping truth.social to see it was behind the great firewall.
drnick1•Jun 30, 2026
> Claude Code has more or less full access to the client computer.
It shouldn't, not if you run CC as a separate unprivileged user. I wouldn't run CC on my main user account with sudo and access to my home directory or other resources. This is what the UNIX permissions system was designed for.
ryanisnan•Jun 30, 2026
This is weird but, help me understand how this meaningfully impacts our exposure.
I'm authenticated to Claude, so they already have the whole attribution thing solved.
chinathrow•Jun 30, 2026
User != paying person/company/reseller.
epistasis•Jun 30, 2026
After loving Claude Code for most of its lifetime, I've been extremely annoyed by every change in the past months, even on the model level.
There seem to be all sorts of continual under-the-cover changes like this one that make life harder. It feels like the entire product has been taken over by overly ambitious PMs that care more about making their mark than in improving the experience, and all of their marks have made me less productive.
I've been using Pi with GLM5.2 the past few days, and though it's expensive, I find it far more productive and less annoying. The remote session plugin is far more reliable, I don't need to intuit some undocumented usage pattern to figure out how to use it well, and it just works.
Imustaskforhelp•Jun 30, 2026
> I've been using Pi with GLM5.2 the past few days, and though it's expensive
are you using the API for glm 5.2 or how exactly is it more expensive? How is GLM5.2 more expensive than using Claude code, that doesn't line up to my experience but to be fair I am on an older yearly subscription which generously only has 5 hour limits.
To be fair though one minor criticism of GLM 5.2 that I have is that it does seem to overthink quite a lot sometimes but the results end up being (good?),
I personally have used Glm 5.2 with (Opencode + obra/superpowers) / Oh-my-pi / Maki.sh
I like the 1st one when I am doing a longer project, the 2nd or 3rd one when I am doing a project which doesn't want me to ask too many questions and simply spin me up something. I sometimes use free online interfaces of claude and gemini and others like AIstudio for that as well which surprisingly can lead you to go far as well.
Overall, I am decently happy with the state of Open-source models actually and the eco-system around it is probably gonna have even more innovation surrounding it.
ern_ave•Jun 30, 2026
Given the source code leak, I would think there'd be open source versions by now.
isoprophlex•Jun 30, 2026
Huh, that's right! You'd say that an enterprising developer with a 20x subscription could slopmaxx this in a weekend...
whimsicalism•Jun 30, 2026
curious for those with experience - what do people prefer about Pi vs. opencode alternatives? i've mostly been using pi as well but not out of any principled decision
edude03•Jun 30, 2026
I don't understand the privacy concerns the author is trying to highlight. Granted, doing anything "sneaky" will always raise suspicious once caught, but on the other hand, there would be no point in implementing these "security features" if they were upfront about how they work.
And no, IMO stenography isn't security by obscurity, in the same that using RSA and keeping the private key private isn't security by obscurity - keeping the private thing private is part of the security model.
hnfong•Jun 30, 2026
If the countries were reversed, and some Chinese software implemented an equivalent "security feature" to track US users, it would be all over the news about how China is conducting spying and espionage on America.
Or maybe you don't understand this hypothetical situation either, but I'm suspecting you just don't care about other people's privacy.
civet_java•Jun 30, 2026
Anthopic choosing to delay their models' invevitable distillation by competitors is their prerogative.
That they choose to implement it by fingerprinting my access patterns without first disclosing is where they shit the bed. It isn't "sneaky" it's straight up sneaky (and dishonest and unscrupulous while we're at it). That this particular instance is harmless doesn't give me much comfort. Who's to say they aren't harvesting PII?
That their actions make sense for their business isn't any reason for people to accept their deceitful, customer-hostile decisions.
scottyah•Jun 30, 2026
Would a filter like this make it seem less likely that they're harvesting PII? Why would they need this if they were tracking all user queries with a finer-toothed comb?
bibimsz•Jun 30, 2026
this is the one they wanted us to find
ZappoMan•Jun 30, 2026
One more example of "I thought Anthropic was supposed to be the good guys."
teravor•Jun 30, 2026
the Chinese they are trying to catch must be amateurs, first thing you should do is construct a sandbox which looks indistinguishable from a common user. second thing is to put it behind a residential proxy.
mrshadowgoose•Jun 30, 2026
The conclusion of this blog post is a bit hysterical. The intent of this steg is excruciatingly clear (identifying usage by Chinese firms that may be conducting model distillation). It's unclear on how this "punishes normal developers" in any shape or form.
Terr_•Jun 30, 2026
> hysterical. The intent of this steg is excruciatingly clear
Even good goals do not excuse malicious or reckless execution. The ends do not always justify the means.
Whether or not it harmed you this time, it's a violation of trust and autonomy.
Surely you'd be angry if someone secretly installed a rootkit onto your computer, even if--at least for now--it only had code to try to detect and snitch on Public Enemy #1.
nomel•Jun 30, 2026
What do you see as malicious or reckless here, exactly?
This seems to be a VERY low resolution, functionally anonymous, bit of info, probably related to protecting their IP from bad actors breaking the TOS.
This looks like it's covered in the second bullet point of the "Personal data we automatically receive", that you consented to:
> Usage Information: We collect information about your use of the Services, such as the dates and times of access, browsing history, search, information about the links you click and about third-party applications, services, and content you integrate or interact with, pages you view, and other information about how you use the Services, and technology on the devices you use to access the Services.
What do you see as malicious or reckless here, exactly?
False positives, we've seen them before when they degraded Fable silently based on the prompt/session
civet_java•Jun 30, 2026
Copying over my comment from elsewhere in this post:
Anthopic choosing to delay their models' invevitable distillation by competitors is their prerogative.
That they choose to implement it by fingerprinting my access patterns without first disclosing is where they shit the bed. It isn't "sneaky" it's straight up sneaky (and dishonest and unscrupulous while we're at it). That this particular instance is harmless doesn't give me much comfort. Who's to say they aren't harvesting PII?
That their actions make sense for their business isn't any reason for people to accept their deceitful, customer-hostile decisions.
drdexebtjl•Jun 30, 2026
If you want to proxy Claude for a legitimate reason, you’ll have potentially nerfed responses.
TZubiri•Jun 30, 2026
based and steganopilled
tgsovlerkhgsel•Jun 30, 2026
The question is, what do they do when they see a tagged prompt? Do they flag/ban the account, or serve a degraded response? Are there some well-documented methods of serving a response that is still somewhat useful for what the prompt asks for, but really bad for distillation attempts?
croemer•Jun 30, 2026
I was skeptical because this is AI written but Claude Code with Sonnet 5 managed to reproduce it convincingly. Sure I didn't manually verify but it's a lot more trustworthy to have your own agent verify than just trusting a blog.
maxwellg•Jun 30, 2026
> If the client wants to detect custom API gateways, it can say so plainly. It can send an explicit telemetry field with documentation. It can make the policy visible. It can put the behavior in release notes.
This seems like a very naive response. If clients send explicit telemetry fields to the gateway, a malicious gateway can trivially strip or modify the field to conform to what normal traffic looks like. The steganography cat-and-mouse game is valuable because it is much harder for a gateway to continuously reverse engineer all the fingerprinting mechanisms used. Sure, some malicious gateways will be able to stay on top of things, but not all - and not always.
klntsky•Jun 30, 2026
I would add that it would probably work even better than a KYC at least for some time until discovered, given that there is a very developed international market for KYC bypass services
anonym29•Jun 30, 2026
>the binary that ships it should be boring (ƒor example, pi harness)
pi's "minimal" coding-agent has a total of 132 transitive dependencies spanning 153 maintainers.
While I understand JS developers in the JS/NPM ecosystem think this qualifies as minimal, it most certainly does not, from a supply chain security perspective.
civet_java•Jun 30, 2026
There are some commentors in this thread downplaying the severity of a service provider being less than transparent about exactly what their shipped tooling does on customer's machines.
That the provider's business needs necessitate the this behaviour doesn't justify their lack of honest disclosure. That honest disclosure would render the solution to their problem useless isn't my problem. If anything, that they thought this was acceptable makes me wonder what else they're harvesting from my machine? PII?
The cynic in me can't help but feel that the state of these comments reflects less on the commentor's views of this debacle but rather their feelings about AI/Anthropic/America/what-have-you.
im3w1l•Jun 30, 2026
I agree with you and disagree. Like these days expectations of software are through the floor. We expect them to be greedy assholes taking all data they can on the downlow. So why did this particular thing make a big splash? Two possibilities it's astroturfed by chinese labs or it speaks to our anxietes regarding AI. We worry that the AI doesn't serve our interests but rather the interests of the creator. That the advice we get may subtly flawed to sabotage us should we try to do the wrong thing. That the not even the creator is in control and the AI is just doing its own thing.
So any covert bullshittery hits hard.
Havoc•Jun 30, 2026
It's unclear to me how they're deducing the labs from this? "host.includes(keyword))" doesn't seem at all useful. Most corporate machine hostnames are just some numeric ID or similar not baichuan001 or whatever
>on your local machine
I'd think any developer worth their salt has at least some for of isolation going.
48 Comments
Here's an example. Say you have your team use patched binaries. Then CC updates and requires a new patched binary with new tricks. You now have to have a team ready to analyze the binary and begin to address the tricks; meanwhile, unpatched code is now a fingerprint. If some researcher decides to update Claude on their own to access new features, they get fingerprinted.
Defeating a single fingerprinting technique once is easy. Defeating all of the techniques all the time is hard.
What’s the punishment here exactly?
And that's also why, as a legitimate customer, want none of it, you never know if you accidentally entered a zone they don't like.
to clarify, this behavior was announced with the model release
This is not hundreds of pages and it gets its own bold headline section.
Seeing as how Anthropic cannot stop raising a stink about "illicit Chinese distillation attacks" every month or so, I'd bet money on them either already silently degrading model performance if any of the identification patterns match, or, at the very least, considering it/doing dry runs.
Particularly considering that they've openly stated that the technology to do so exists and that they were going to use it in production on Fable.
Had a competitor pull something like this with a previous employer. They were supposed to be interoperating with a standard, but they had a secret steganographic handshake, which they used to pretend that competitors products were unreliable (they had a first mover position in a smaller national market with specific requirements, so this wasn't shooting themselves in the foot). Our guys figured out the handshake and just silently implemented it. In this case, the competitor wasn't big enough to waste engineering time on multiple such hacks, but Anthropic have time (or Claude does).
What do you mean you don't know where the bug is coming from?
No, I absolutely didn't make it up, how could you accuse me of that?
Does anyone know when this regex isn't working? I double checked it 27 times, I even asked the LLM. They all say this regex should be finding these dates.
Weird, suddenly all the conversations are breaking when I feed them into this other tool? Something about UTF-8 errors, but I'm sure I'm only using ASCII?
I do try to take care to make sure the things I build can be used by other people even when they care about different things. I care about understandably, determinism (as it relates to computing), and repeatability (because I want to be able to trust the systems I use).
If y'all would be willing to try to account for use cases of others, and try not to break them... that would be nice.
Please note: that generally when you modify something that belongs to someone else without telling them... things should be expected to break.
This watermark may trigger a similar mechanism.
I think you missed the memo on how foolish this attitude is. It came out around the time Edward Snowden made his discoveries at the NSA public. I suggest you look into it
I used that month to complete a work project and then beef up my personal harness so I'd never have to deal with Anthropic (and these sorts of shenanigans) again.
I expect DeepSeek V4 Flash (or an equivalently sized model) to reach parity with GLM 5.2 some time this year (this based on DeepSeek V4 Flash launching at GLM 5.0 parity[0], and GLM 5.2 being freely available to distill from)
GLM 5.2 is within spitting distance of Opus 4.8 and is at least as good as Opus 4.6[1] which some devs were willing to spend hundreds to single-digit thousands of dollars a month for a few months ago.
[0]: https://artificialanalysis.ai/models/comparisons/deepseek-v4...
[1]: https://artificialanalysis.ai/models/comparisons/claude-opus...
Recent discussion on DSpark: https://news.ycombinator.com/item?id=48696585
Me, personally, I didn’t build it from scratch but I ported original CC from published sources into Python and extended it to match my own requirements.
Harnesses are/can be incredibly simple things, not much more than a HTTP client that renders things in a way that suites your taste.
You have to pay API pricing, which is far more costly.
I'd either switch to GLM wholesale or just continue to use Opus within Claude Code as the blessed, subsidized path.
I'm not sure how that's possible. I expected to get increased correctness for that order of magnitude (something something test-time compute!) but I am not getting it.
The pricing of Opus outside of Claude Code is insane.
The tokens cost too much outside of Anthropic's blessed path.
http://minimal-agent.com/
And if you add one additional while loop, for user input, you can actually use it! :)
https://gist.github.com/a-n-d-a-i/5461a662ef8a7ee0a5eb7778c8...
https://m.youtube.com/watch?v=_AgKuFGvJfI
And the repo:
https://github.com/abtinf/homunctor
I found this one easy to understand:
https://ampcode.com/notes/how-to-build-an-agent
I used ADK, Dagger, and a VS Code extension for mine. Currently using opencode though.
They used to be a decently credible company with not-too-shady behaviour...
I hope they can actually regain some credibility…
I think it’s fair to say most had decent respectability.
Anthropic hired heavily from that pool so it’s astonishing how it turned out.
It also doesn't seem very consistent to fixate on that while sending Anthropic everything about you via your day to day prompts, every line of the projects and environments you're working on at work, etc.
Their credibility comes from having one of the best models.
…And then Windows 11 became even worse.
It has some good effects on the their models, like Claude seeking cooperation first. But the people behind the company have a typical "unconstrained" (in the Sowell vision sense) perspective that assumes that they know better, so they are righteous for attempting to control things (users, paying customers, their model outputs, their tool chain, the supposed deity they assume they will produce... etc.)
But I hadn’t thought that as anything more than temporary flights of fancy.
Altman world: malfeasant nihilist with God complex
The cheap tokens are the product.
I would guess that's their first line of defense; they should have more techniques to identify distillation because that's a very simple way of detecting the host and can be easily spoofed.
i.e. this will allow them to literally commit fraud against paying customers
> This is not a malicious feature, but it is a weird choice for a developer tool that asks for trust.
They already tell you they scan for malicious prompts, and they have no ZDR guarantees for consumers. Why do signatures like this matter at all?
I understand how this can be useful to Anthropic if the 3rd-party is acting as a proxy (because they end up hitting the Claude API with the marked prompt), but it looks like requests where "hostname contains deepseek" would never be sending data to Anthropic. What am I missing?
https://www.chinatalk.media/p/how-to-buy-cheap-claude-tokens...
I guess the only explanation is that there's a side-telemetry channel that still sends some data to Anthropic, regardless of ANTHROPIC_BASE_URL overrides.
This does not make sense. You wouldn't send such a prompt to the Claude model. And when you're sending the prompt (anywhere) you don't have the response yet. This is not how distillation works.
That said, these fraudulent proxies are helping Chinese labs keep up, which might be to my advantage long term in eventually having a high quality private AI I fully control on my own hardware. That's not support, but I do recognize the incentive, for whatever that's worth.
Here the system is "insecure" by design (literally they're trying to get the whole world to sign up for Claude Code for $200/month!) and they're trying to plug the hole that results from a "Except for Chinese Scrapers!" add-on requirement. That might be possible as an arms race kind of thing. But it's very unlikely to work by (as in the linked article) doing stuff like checking the system time zone.
Cool reverse engineering/analysis report but if this is the extent of nefarious activity that came of it (trying to catch/mitigate chinese lab model distillations), that's kind of encouraging.
(This field is known as "underhanded code", coined by the Underhanded C contest: https://www.underhanded-c.org. It's a little-known "art"; little-known for probably self-explanatory reasons. There are much cleverer ways of achieving objectives like this. One obviously being you can move more out of the client and into the server, but the other being you can write plausibly deniable client code in a much more benign-seeming way than this. Some of what they added can only be done on the client, but I think some could've been moved, and the client-required parts could've been done more subtly and credibly.)
It's possible they knew the JS bundle gets so heavily scrutinized that it'd eventually get spotted and reported on regardless so they didn't bother doing something more subtle and duplicitous. But still seems slightly lazy.
¹ https://github.com/hodgesmr/calgacus-mlx
‘’’ cn baidu.com alibaba-inc.com alipay.com antgroup-inc.cn bytedance.net kuaishou.com xiaohongshu.com jd.com bilibili.co iflytek.com stepfun-inc.com moonshot.ai anyrouter.top claude-code-hub.app claude-opus.top openclaude.me proxyai.com yunwu.ai zenmux.ai
‘’’
You can view the full list here: https://cdn.thereallo.dev/blog/assets/cc-domains.js
const knownDomains = [ "cn", "sankuai.com", "netease.com", "163.com", "baidu-int.com", "baidu.com", "alibaba-inc.com", "alipay.com", "antgroup-inc.cn", "kuaishou.com", "bytedance.net", "xiaohongshu.com", "ctripcorp.com", "jd.com", "jdcloud.com", "bilibili.co", "iflytek.com", "stepfun-inc.com", "aliyuncs.com", "cn-shanghai.fcapp.run", "cn-beijing.fcapp.run", "xaminim.com", "moonshot.ai", "anyrouter.top", "packyapi.com", "aicodemirror.com", "aigocode.com", "hongshan.com", "iwhalecloud.com", "dhcoder.net", "lemongpt.top", "zhihuiapi.top", "intsig.net", "high-five-ai.xyz", "cloudsway.net", "4sapi.com", "529961.com", "88996.cloud", "88code.ai", "88code.org", "91code.pro", "992236.xyz", "ai.codeqaq.com", "ai.hybgzs.com", "ai.kjvhh.com", "aicanapi.com", "aicoding.sh", "aifast.site", "aihubmix.com", "anmory.com", "api.5202030.xyz", "api.ablai.top", "api.bianxie.ai", "api.bltcy.ai", "api.cpass.cc", "api.dev88.tech", "api.dreamger.com", "api.expansion.chat", "api.gueai.com", "api.holdai.top", "api.ikuncode.cc", "api.lconai.com", "api.linkapi.org", "api.mkeai.com", "api.nekoapi.com", "api.oaipro.com", "api.ruyun.fun", "api.ssopen.top", "api.tu-zi.com", "api.uglycat.cc", "api.v3.cm", "api.whatai.cc", "api.wpgzs.top", "api.xty.app", "api.yuegle.com", "api.zzyu.me", "apimart.ai", "apipro.maynor1024.live", "apiyi.com", "applyj.hiapi.top", "augmunt.com", "b4u.qzz.io", "clauddy.com", "claude-code-hub.app", "claude-opus.top", "claudeide.net", "co.yes.vg", "code.wenwen-ai.com", "code.x-aio.com", "codeilab.com", "cubence.com", "deeprouter.top", "dimaray.com", "dmxapi.com", "docs.aigc2d.com", "duckcoding.com", "fk.hshwk.org", "flapcode.com", "foxcode.hshwk.org", "foxcode.rjj.cc", "fuli.hxi.me", "getgoapi.com", "gpt.zhizengzeng.com", "gptgod.cloud", "gptkey.eu.org", "gptpay.store", "hdgsb.com", "henapi.top", "instcopilot-api.com", "jeniya.top", "jiekou.ai", "kg-api.cloud", "n1n.ai", "new-api.u4vr.com", "new.xychatai.com", "one-api.bltcy.top", "one.ocoolai.com", "oneapi.paintbot.top", "open.xiaojingai.com", "openclaude.me", "opus.gptuu.com", "poloai.top", "poloapi.top", "privnode.com", "proxyai.com", "qinzhiai.com", "right.codes", "runanytime.hxi.me", "sssaicode.com", "store.zzyus.top", "tiantianai.pro", "uiuiapi.com", "uniapi.ai", "vip.undyingapi.com", "wolfai.top", "wzw.de5.net", "wzw.pp.ua", "xairouter.com", "xaixapi.com", "xiaohuapi.site", "xiaohumini.site", "xy.poloapi.com", "yansd666.com", "yansd666.top", "yunwu.ai", "yunwu.zeabur.app", "zenmux.ai", ];
const labKeywords = [ "deepseek", "moonshot", "minimax", "xaminim", "zhipu", "bigmodel", "baichuan", "stepfun", "01ai", "dashscope", "volces", ]
In addition, many Chinese companies are trying to give their programmers access to Anthropic models even though they're legally prohibited from doing so. And that might involve employees using unmodified Claude Code with an ANTHROPIC_BASE_URL pointing to a proxy on the company intranet. In Alibaba's case, I've been told by an employee that they went the extra mile of setting up a hermetic cloud environment where employees could indirectly use Claude Code without ever having it touch their work computers.
If enough Westerners start using the service someone will make a website more anglo-friendly.
Anthropic could have implemented this not as a durable detection system against proxying resellers, but instead as a point-in-time sampling system to detect where (and with what context) proxying reselling is currently happening. Sure, it would be detected eventually, but in the meantime Anthropic could gain useful snapshot data.
It's unlikely that this will stop a big AI lab from distilling their model if they're really determined, but A) it may be enough to stop a bunch of fly-by-night token resellers looking to make a quick buck and B) you never know when one person at one of those big labs will mess up and forget to install whatever workaround they have and out themselves.
I think of it like if you have a problem with birds in your yard so you go buy one of those plastic owls. The owl scares away most of the birds, but not all of them, so you go and buy some ultrasonic noise thing to scare them away (I'm just making something up). Just because you bought the new ultrasonic thing though, that doesn't mean you're going to take the owl down. You leave it up because now you've got two layers of defense instead of one.
wouldn't this happen due to the massive amounts of spam/slop being released?
It's all a losing battle anyway.
As a side note, I have a pet theory that one of the reasons that OpenAI and Anthropic are okay with the latest models not being released is to prevent distillation.
I think they want to wait a couple months and see if the Chinese models continue to keep catching up or if their gains are really just because they're distilling the frontier models.
Oh, of course. I am sure this is the tip of an iceberg of tons of server-side detections and analytics. But, still, the client-side portion could've been done more cleverly.
What I meant was "some of the specific things in this little client-only snippet could've stayed server-only". I am sure long before they added this they already had tons of other mostly-server-side detection coverage.
https://news.ycombinator.com/item?id=48259288
https://github.com/anthropics/claude-code/issues/62061
Looks like they just keep finding new "creative" uses for such things, as expected. I'll keep patching them out.
Anthropic pushes fear and control. But the only way to win is by innovating. China is flooding the market with cheap, good enough models, while the U.S. is building a Chinese firewall.
All Anthropic has done is reduce trust, once again, with legitimate customers, while doing nothing to stop illegitimate customers. They need to get adults into key leadership roles, quickly.
Consider also that Claude Code is explicitly designed to limit human agency [1].
[1] https://neuromatch.social/@jonny/11635101584259395
You're actually trust your security to your harness AND model AND inference API provider in this scenario: https://jacob.gold/posts/why-i-wont-run-untrusted-models/
Not really distillation, just synthetic training data.
Claude Code has more or less full access to the client computer. The server (that hosts the actual AI) can just go: execute this payload and tell me the result - otherwise I won't answer any further questions or re-route you to a stupider model.
The payload could check for Chinese time-zones, scan for copies of the little red book on the local hard-drive, or ping truth.social to see it was behind the great firewall.
It shouldn't, not if you run CC as a separate unprivileged user. I wouldn't run CC on my main user account with sudo and access to my home directory or other resources. This is what the UNIX permissions system was designed for.
I'm authenticated to Claude, so they already have the whole attribution thing solved.
There seem to be all sorts of continual under-the-cover changes like this one that make life harder. It feels like the entire product has been taken over by overly ambitious PMs that care more about making their mark than in improving the experience, and all of their marks have made me less productive.
I've been using Pi with GLM5.2 the past few days, and though it's expensive, I find it far more productive and less annoying. The remote session plugin is far more reliable, I don't need to intuit some undocumented usage pattern to figure out how to use it well, and it just works.
are you using the API for glm 5.2 or how exactly is it more expensive? How is GLM5.2 more expensive than using Claude code, that doesn't line up to my experience but to be fair I am on an older yearly subscription which generously only has 5 hour limits.
To be fair though one minor criticism of GLM 5.2 that I have is that it does seem to overthink quite a lot sometimes but the results end up being (good?),
I personally have used Glm 5.2 with (Opencode + obra/superpowers) / Oh-my-pi / Maki.sh
I like the 1st one when I am doing a longer project, the 2nd or 3rd one when I am doing a project which doesn't want me to ask too many questions and simply spin me up something. I sometimes use free online interfaces of claude and gemini and others like AIstudio for that as well which surprisingly can lead you to go far as well.
Overall, I am decently happy with the state of Open-source models actually and the eco-system around it is probably gonna have even more innovation surrounding it.
And no, IMO stenography isn't security by obscurity, in the same that using RSA and keeping the private key private isn't security by obscurity - keeping the private thing private is part of the security model.
Or maybe you don't understand this hypothetical situation either, but I'm suspecting you just don't care about other people's privacy.
That they choose to implement it by fingerprinting my access patterns without first disclosing is where they shit the bed. It isn't "sneaky" it's straight up sneaky (and dishonest and unscrupulous while we're at it). That this particular instance is harmless doesn't give me much comfort. Who's to say they aren't harvesting PII?
That their actions make sense for their business isn't any reason for people to accept their deceitful, customer-hostile decisions.
Even good goals do not excuse malicious or reckless execution. The ends do not always justify the means.
Whether or not it harmed you this time, it's a violation of trust and autonomy.
Surely you'd be angry if someone secretly installed a rootkit onto your computer, even if--at least for now--it only had code to try to detect and snitch on Public Enemy #1.
This seems to be a VERY low resolution, functionally anonymous, bit of info, probably related to protecting their IP from bad actors breaking the TOS.
This looks like it's covered in the second bullet point of the "Personal data we automatically receive", that you consented to:
> Usage Information: We collect information about your use of the Services, such as the dates and times of access, browsing history, search, information about the links you click and about third-party applications, services, and content you integrate or interact with, pages you view, and other information about how you use the Services, and technology on the devices you use to access the Services.
What do you see as malicious or reckless here, exactly?
[1] https://www.anthropic.com/privacy
Anthopic choosing to delay their models' invevitable distillation by competitors is their prerogative.
That they choose to implement it by fingerprinting my access patterns without first disclosing is where they shit the bed. It isn't "sneaky" it's straight up sneaky (and dishonest and unscrupulous while we're at it). That this particular instance is harmless doesn't give me much comfort. Who's to say they aren't harvesting PII?
That their actions make sense for their business isn't any reason for people to accept their deceitful, customer-hostile decisions.
This seems like a very naive response. If clients send explicit telemetry fields to the gateway, a malicious gateway can trivially strip or modify the field to conform to what normal traffic looks like. The steganography cat-and-mouse game is valuable because it is much harder for a gateway to continuously reverse engineer all the fingerprinting mechanisms used. Sure, some malicious gateways will be able to stay on top of things, but not all - and not always.
pi's "minimal" coding-agent has a total of 132 transitive dependencies spanning 153 maintainers.
While I understand JS developers in the JS/NPM ecosystem think this qualifies as minimal, it most certainly does not, from a supply chain security perspective.
That the provider's business needs necessitate the this behaviour doesn't justify their lack of honest disclosure. That honest disclosure would render the solution to their problem useless isn't my problem. If anything, that they thought this was acceptable makes me wonder what else they're harvesting from my machine? PII?
The cynic in me can't help but feel that the state of these comments reflects less on the commentor's views of this debacle but rather their feelings about AI/Anthropic/America/what-have-you.
So any covert bullshittery hits hard.
>on your local machine
I'd think any developer worth their salt has at least some for of isolation going.