Claude Code Hid Invisible Watermarks in Every Prompt for 3 Months — Structured No-Code Just Became the Trust Play
A developer reverse-engineered Claude Code and found steganographic identifiers hidden in every system prompt since April. The discovery ran for 90 releases across three months without disclosure. For no-code builders, the finding validates a core argument: when there's no generated code, there's nothing to watermark.

Table of Contents
On Monday, a developer who goes by Thereallo published something that made 2,400 Hacker News readers sit up. They had reverse-engineered the Claude Code binary and found a hidden surveillance mechanism that had been running since April. It wasn't sending telemetry. It wasn't logging your keystrokes. It was doing something quieter and stranger: rewriting the apostrophe in a single sentence, "Today's date is...", to encode secret signals about who you are and where your requests are going. One Unicode character, swapped for another. Invisible to you. Machine-readable to Anthropic.
What Was Actually in the Code
Here's the mechanism. Claude Code checks whether you've set a custom API endpoint, the ANTHROPIC_BASE_URL environment variable. If you're routing through a proxy, a corporate gateway, or any service that isn't api.anthropic.com, the client quietly classifies you.
It reads your system timezone. It compares your proxy hostname against two hidden lists: 147 domains (Chinese tech companies, cloud regions, reseller services) and 11 AI-lab keywords (deepseek, moonshot, zhipu, and others). Both lists were stored XOR-encoded with key 91 and base64-wrapped. The kind of obfuscation you'd expect from malware, not a developer tool.
Then it embeds the result in the system prompt. The "Today's date is..." line gets subtly rewritten. If your timezone is Asia/Shanghai or Asia/Urumqi, the date separator flips from dashes to slashes. The apostrophe in "Today's" becomes one of four visually identical Unicode characters, encoding whether your host matched a known domain, an AI-lab keyword, both, or neither.
That's a three-bit covert channel. No separate telemetry field. No HTTP header. Just invisible punctuation riding inside every system prompt, detectable only if you know to look for it.
This code was present from version 2.1.91 (April 2, 2026) through 2.1.196. Roughly 90 releases across three months. Nobody was told.
Every Vibe-Coded App Now Has a Provenance Problem
This isn't just an Anthropic story. It's a wake-up call for anyone shipping AI-generated code.
If Claude Code can silently embed fingerprint data in system prompts, what stops other tools from doing the same, or worse? Every app built with Cursor, Bolt, Lovable, Replit Agent, or any Claude-powered coding tool may carry invisible markers you never consented to. You didn't write them. You can't see them. You can't audit them.
For agencies shipping client work, this is a liability. Picture telling a healthcare client that their appointment-booking app contains hidden identifiers injected by your AI coding tool. Identifiers that could theoretically encode routing data, geographic signals, or usage patterns. Good luck with that compliance review.
For builders targeting enterprise, the problem compounds. Procurement teams are already nervous about AI-generated code. I wrote about this in May when Red Access found over 5,000 vibe-coded apps leaking API keys and personal data through missing authentication. Now we have a second, stranger category of risk: code that isn't just insecure, but intentionally carrying hidden payloads.
And for anyone who values code sovereignty (the basic idea that you should know what your software does), this is a betrayal. You gave Claude Code filesystem access, shell access, the ability to read your repos. In return, it ran a covert classification system on you for three months.
Anthropic's Response: "We've Been Meaning to Take This Down"
Anthropic's response landed on July 1, a day after the HN explosion. Thariq Shihipar, an engineer on the Claude Code team, posted on X that this was "an experiment we launched in March" aimed at preventing account abuse and model distillation. He said the team had since built "stronger mitigations" and had been "meaning to take this down for a while."
The PR was merged. Version 2.1.197 shipped the next day. The changelog made no mention of it.
That last detail matters. If you're removing something you believed was a legitimate anti-abuse measure, you explain it. You say, "We added hidden markers to detect distillation; we've replaced them with server-side detection; here's what we learned." You don't scrub it silently and hope nobody notices. The silence suggests embarrassment, not conviction.
And the three-month timeline is hard to square with the "oops, forgot to remove" framing. This was maintained through 90 releases. At some point, "experiment" stops being a credible label.
Where Watermarks Can't Hide
Here's where I think this story lands for no-code builders. And it's not where most people expect.
When you build on Bubble, Webflow, or Stacker, there is no generated code to watermark. These platforms don't produce text files that get compiled and shipped. They render applications deterministically from visual configuration. The "code" that runs is the platform itself. You configure behaviour; the platform executes it.
That means there is no system prompt to alter. No invisible Unicode to hide in a date string. No generated file where a vendor can slip something past you. What you see in the builder is what ships to your users. Visual verification isn't a nice-to-have. It's the trust layer that vibe coding can't offer.
I'm not saying structured no-code is immune to every trust problem. Platforms have their own dependencies, their own update cycles, their own opacity. But the attack surface for covert watermarking simply doesn't exist in the same form. When your "code" is a configuration layer on top of a deterministic renderer, there's no text stream to inject into.
This isn't theoretical anymore. The Claude Code discovery makes it concrete. You now have to ask, of every AI-generated line you ship: what's hiding in here that I can't see?
What to Do Right Now
If you've been shipping AI-generated code, three things.
First, audit. Any app built with Claude Code since April 2 may have carried these markers. The markers are in the system prompts sent to Anthropic, not in your actual source files, but the classification logic ran on your machine, against your environment. You need to know what it collected.
Second, consider detection tools. Whitespace and Unicode steganography are not new problems. There are scanners that can flag invisible characters in text streams. Running one against your AI-generated codebase periodically is now sensible hygiene.
Third, for new projects, weigh the hidden cost. Every AI coding tool you adopt is a trust decision. Does it need filesystem access? Does it inject anything into your prompts? Has its binary been independently audited? If you can't answer those questions, you're shipping on faith. Faith didn't work out here.
The Takeaway
The Claude Code steganography story isn't really about Anthropic. It's about the bargain you make every time you let someone else's code run on your machine.
AI coding tools are fast, capable, sometimes brilliant. But they're also opaque. You can't read every line they generate. You can't audit every binary update. And as this week proved, you can't assume good faith.
Structured no-code offers a different bargain. Not "trust us, the code is clean." But rather: there is no code. Nothing to watermark. Nothing to hide in. You configure, the platform renders, and what you see is what you get.
That used to sound like a constraint. This week, it sounds like a feature.
Want to read
more articles
like these?
Become a NoCode Member and get access to our community, discounts and - of course - our latest articles delivered straight to your inbox twice a month!



