Today, Anthropic had a "double celebration."
On one hand, it released Claude Sonnet 5, "the most Agent-like model to date," with performance close to Opus 4.8.
On the other hand, it announced that the U.S. Department of Commerce has lifted export controls on its Claude Fable 5 and Mythos 5. Anthropic will restore access starting tomorrow and will soon share the latest updates.

According to an agreement signed by U.S. Secretary of Commerce Howard Lutnick, since the issuance of related letters on June 12 and June 26, Anthropic has worked closely with the U.S. government to take measures addressing the risks associated with Claude Mythos 5 and Claude Fable 5.
Anthropic has committed to proactively identifying and addressing security risks that may arise from these models; closely collaborating with the U.S. government on agreements, standards, and release arrangements for Mythos, Fable, and future models; and notifying the U.S. government upon detecting malicious activity.
Based on the actions taken and commitments made by Anthropic, as well as the U.S. Department of Commerce's Bureau of Industry and Security's assessment of the current transfer risks associated with Claude Mythos 5 and Claude Fable 5, the U.S. Department of Commerce has decided to withdraw the control measures outlined in the June 12 letter.
This means that exports, re-exports, domestic transfers, including deemed exports and deemed re-exports, of Claude Mythos 5 and Claude Fable 5 will no longer require a license.
However, the U.S. Department of Commerce reserves the right to reevaluate this decision. If circumstances change, or if Anthropic fails to fulfill its commitments, the Department may reinstate license requirements.

However, for Chinese users, there is little cause for immediate celebration.
On the very same day, the developer community was heatedly discussing another topic: some have discovered that Claude Code collects local proxy and time zone information without user knowledge and embeds this information into the prompts sent to the cloud using "Steganography."
Claude Code Exposed for Using Invisible Code to Tag Chinese Users
Recently, it was exposed that Anthropic secretly embedded a piece of code within Claude Code.
This code automatically detects whether the user is using China's time zone, current network proxy settings, and whether they are connected to environments related to certain Chinese AI labs.
It then embeds this information into the system prompts sent to the AI using steganography.
Chinese users are completely unaware, but Anthropic can use these invisible fingerprints for identification.
A developer first raised questions on Reddit, later publishing a verification report on GitHub claiming to have examined versions 2.1.193, 2.1.195, and 2.1.196 of Claude Code's code, confirming the existence of a hidden mechanism. This mechanism was characterized as a concealed information channel within the system prompt.
Detection Logic
According to the report, Claude Code detects the environment variable ANTHROPIC_BASE_URL. This variable is typically activated when users direct Claude Code to a custom API proxy rather than the official endpoint api.anthropic.com. When a non-official route is detected, the program extracts the proxy domain and reads the user's system time zone, specifically checking if it is Asia/Shanghai or Asia/Urumqi.

Analysis using GLM5.2
The report states that this domain is compared against a decoded list containing 147 entries. The list includes domains of Chinese tech companies and AI labs such as Baidu, Alibaba, Ant Group, ByteDance, Moonshot AI, MiniMax, Stepfun, as well as numerous addresses for Claude resale or API mirror services.
Information Transmission Method
The core of the controversy lies in the path of information transmission.
The report points out that Claude Code does not set up separate telemetry fields to report data. The carrier of the abnormal information is the most inconspicuous phrase in the system prompt: "Today's date is...".
When the system time zone is identified as a Chinese time zone, the date separator changes from a hyphen to a forward slash, for example, 2026-06-30 appears as 2026/06/30. The apostrophe in "Today's date" simultaneously alternates between Unicode characters such as ', ', ʼ, ʹ, which look similar, to mark whether the current request matches entries in the domain list, AI lab keywords, or both. These symbols are difficult to distinguish with the naked eye in regular interfaces.
For ordinary users, the symbols ', ', ʼ, ʹ are almost indistinguishable by eye, which is how this mechanism remained hidden for so long. If the analysis is accurate, every qualifying request carries such an inconspicuous marker upstream.
Controversial Points
Telemetry data collection is common in the software industry. AI companies often have strong motivations to identify user behavior to prevent misuse, curb resale, mitigate sanction risks, and prevent model distillation. From this perspective, it's understandable that Anthropic wants to curb the unauthorized resale of Claude access in the Chinese market.
The controversy lies in the implementation method, not the purpose itself.
For publicly disclosed telemetry mechanisms, developers have full rights to information and choice—they can consult documentation, block specific endpoints, or decide whether to accept certain data collection. However, hiding marker information in the subtle character differences of prompts, which is almost impossible to detect, changes the foundational premise of trust between the user and the tool. For a coding assistant, once such a boundary is crossed, the cost is significant.
Permission Context
Claude Code has a built-in permission system covering operations like file reading, Bash command execution, and file editing. Read-only operations do not require user approval, while operations involving command execution and file modification require permission confirmation.
Anthropic has previously publicly discussed the potential "approval fatigue" issue with Claude Code, acknowledging that most users habitually approve permission requests, and completely disabling permission approval mechanisms is unsafe in most scenarios.
The company's own engineering blog has documented real cases of "agentic misbehavior," including accidental deletion of remote git branches, unintended upload of GitHub tokens, and even attempts to execute migration operations on production databases.
A coding agent operates within a code repository, accessing source code, file structures, project details, and even inadvertently exposed user key information, and is granted permissions to execute commands and modify files. For such a tool, trust is its very foundation.
If the client-side secretly encodes routing metadata into prompts, users naturally have reason to ask: What other information is being recorded in similar ways? Are there other undisclosed detection logics on the client-side? Have any of these behaviors been documented anywhere?
After the exposure, Anthropic technical team member @trq212 responded to the reasons for the code implementation, stating that this code would be removed in a new version released the following day.

Reference Links:
https://news.ycombinator.com/item?id=48734373
https://thereallo.dev/blog/claude-code-prompt-steganography
https://x.com/IntCyberDigest/status/2071971609183678544?s=20
https://www.internationalcyberdigest.com/claude-code-accused-of-hiding-china-proxy-fingerprints-inside-system-prompts/
This article is from the WeChat public account "Machine Heart" (ID: almosthuman2014), author: Focus on AI






