Anthropic removes Claude Code ANTHROPIC_BASE_URL prompt marking after proxy reports
After reports that Claude Code was inserting hidden prompt marks when routed through custom ANTHROPIC_BASE_URL gateways, an Anthropic engineer said the experiment was real and is being rolled back. The issue matters for teams proxying Claude Code through gateways because prompt mutation on custom routes creates trust and debugging problems even if the effect was narrow.

TL;DR
- Anthropic confirmed the Claude Code prompt-marking report was real, with engineer trq212's rollback reply describing it as a March experiment aimed at abuse from unauthorized resellers and distillation.
- The reported behavior only applied when users overrode
ANTHROPIC_BASE_URL, not to ordinary direct Anthropic use, according to rohanpaul_ai's verification summary. - The marker appears to have ridden on tiny prompt mutations, including date separators and apostrophe variants, as shown in the steganographic-marking analysis screenshot and summarized by rohanpaul_ai's thread.
- Claude Code 2.1.196 already shipped adjacent security changes, with ClaudeCodeLog's changelog post noting that remote control is disabled on non-Anthropic hosts and repo-local MCP servers no longer auto-start.
You can read Anthropic's reply saying the PR was already merged for rollback, skim the reverse-engineering screenshots showing the date and punctuation changes, and check the 2.1.196 changelog for the nearby security hardening that landed in the same release window.
Prompt markers
The core claim was not hidden data exfiltration. It was hidden prompt mutation on custom routes.
According to rohanpaul_ai's verification summary, the effect was narrow: Claude Code allegedly added the mark only after someone pointed ANTHROPIC_BASE_URL away from Anthropic's official server. That same summary says the trust problem remained because users would not clearly see or approve the label.
The attached analysis in the reverse-engineering screenshots breaks the mechanism into a few tiny text changes:
- the date string could flip from
2026-06-30to2026/06/30 - the apostrophe in
Today'scould swap to visually similar Unicode variants - the trigger path allegedly checked timezone, hostname matches against a decoded domain list, and AI-lab-related keywords
That is a grubby little trick for a coding agent, because prompt diffs become harder to audit when the mutation is visually invisible in normal terminal fonts.
Anthropic's rollback
Anthropic did not deny the experiment. Engineer trq212's rollback reply said it launched in March, was meant to prevent account abuse from unauthorized resellers and protect against distillation, and would be fully rolled back in the next release.
That lines up with the broader context in rohanpaul_ai's White House context post, which points to a White House memo describing industrial-scale proxy-account campaigns used to distill frontier models. The anti-abuse rationale is easy to follow. The part that triggered backlash was the silent mutation, not the existence of abuse controls.
A second useful boundary came from rohanpaul_ai's verification summary, which says direct users were not marked just for being in a China timezone. The issue sat on the custom gateway path, which matters mostly for teams routing Claude Code through proxies, gateways, or reseller infrastructure.
Release 2.1.196
The same release window included other changes around trust boundaries for non-default environments.
In ClaudeCodeLog's full changelog, the 2.1.196 notes say:
claude mcp list/getno longer spawns repo-local.mcp.jsonservers just because a repo self-approved them through committed settings- untrusted workspaces now show
Pending approval - Remote Control is disabled when
ANTHROPIC_BASE_URLpoints at a non-Anthropic host - the streaming idle watchdog is now on by default across providers
/code-reviewmerged five cleanup finders into one, cutting token usage by roughly 25%
The addendum in ClaudeCodeLog's additional updates also shows prompt files rising by four and prompt tokens rising 6,963, or 28.3 percent, between 2.1.195 and 2.1.196. That does not prove anything about the removed marker by itself, but it does show how much behavior in a coding agent lives in prompt and harness glue rather than in model weights alone.