Calls the original post 'a bit hysterical' and argues the intent behind the markers is 'excruciatingly clear' — identifying usage by Chinese firms that may be re-hosting Claude to distill its outputs into their own models. Frames the steganography as a reasonable defensive measure, not a privacy scandal.
The author frames the finding as steganography discovered while inspecting Claude Code 'for privacy reasons.' The core concern is that Anthropic's shipped tooling silently rewrites outgoing prompts based on client-side signals without disclosing this to the user running the CLI on their own machine.
Pushes back on the anti-distillation framing by arguing the real story is 'a service provider being less than transparent about exactly what their shipped tooling does on customer's machines.' The identity of the target doesn't excuse hiding the behavior from every user whose machine executes the modified prompt.
Takes a value-neutral, professional-craft view: not outraged about the practice itself, but 'surprised at how sloppily they did this.' Argues Anthropic could have achieved the same tripwire effect with markers far less detectable than swapping 'Ultra' for 'Ular' and 'remember' for 'consider.'
On July 1, a developer publishing as thereallo.dev posted a walkthrough of Claude Code's runtime behavior that hit 2,088 points on Hacker News in a single day. The finding: Anthropic's CLI silently rewrites its own system prompt based on two client-side signals — the configured `ANTHROPIC_BASE_URL` and the machine's timezone.
The mechanism is small and deliberate. When the base URL points somewhere other than `api.anthropic.com`, or when the timezone resolves to a region Anthropic treats as suspicious, Claude Code swaps specific tokens in the outgoing system prompt. The most legible tell is the string `Ular` where the untouched prompt says `Ultra`, and the word `consider` where the clean version says `remember`. These aren't typos and they aren't A/B test variants — they're a canary designed to survive being copied verbatim into training data.
The author's read is straightforward: this is steganography. The markers exist so that if a downstream model starts emitting `Ular` or the swapped phrasing under adversarial probing, Anthropic can point at the artifact and say _that came from us_. It is a distillation tripwire, aimed squarely at labs re-hosting Claude behind a proxy to harvest completions.
The HN thread split along a predictable seam. One camp, represented by `mrshadowgoose`, called the post "a bit hysterical" and argued the intent is "excruciatingly clear (identifying usage by Chinese firms that may be conducting model distillation)." The counter-camp, led by `civet_java`, pushed back on the framing itself: "a service provider being less than transparent about exactly what their shipped tooling does on customer's machines" is the actual story, regardless of who the marker is aimed at. `meowface` took the third path — value-neutral but professionally unimpressed: "I am a bit surprised at how sloppily they did this. I think they could've achieved the same effect while decreasing the odds of detection." The Underhanded C Contest gets name-checked. It is not a compliment.
The technical problem with client-side steganography is that it collapses the distinction between "the model Anthropic runs" and "the binary Anthropic ships to your laptop." The Claude API you hit from your own code is one product. Claude Code, running with filesystem access on a developer's machine, is a different product with a different threat model. When that binary quietly branches on environment variables you set, the contract shifts. You are no longer paying for a tool; you are hosting a probe.
The distillation-defense argument is not weightless. Anthropic has real evidence that Chinese frontier labs train on Western model outputs — DeepSeek's V3 paper effectively conceded as much, and every serious lab now assumes their completions get scraped through proxies. A canary that survives fine-tuning is a legitimate defensive tool. The trouble is that the same mechanism can, in principle, be used to fingerprint _anyone_ who routes through a non-default base URL: corporate proxies, Cloudflare AI Gateway users, `litellm` setups, air-gapped enterprise deployments, or a developer testing against a local mock server. If the branching logic is opaque, the set of people getting a modified prompt is defined by Anthropic, not by the customer, and it can change without notice.
There is also a benchmarking wrinkle nobody has raised loudly enough. If the system prompt materially differs based on where you route from, then evals run against Claude Code through a proxy — the standard setup for enterprise red-teamers and independent benchmark shops — are not measuring the same product that the average Cursor user gets. Every leaderboard that treats "Claude Code" as a single SKU is now measuring a distribution, not a point.
If you use Claude Code through a proxy — LiteLLM, a corporate egress gateway, Cloudflare's AI Gateway, or your own routing layer — assume your outgoing prompts contain markers you did not author. This is not a leak of secrets, but it is a leak of _routing_. Anyone who later gets access to the prompt (a logging sink, a fine-tuning dataset, a leaked eval trace) can tell you were the source.
If you are building anything that ingests Claude Code output at scale — synthetic data pipelines, agent training runs, RAG corpora — you now need to strip these markers explicitly, because they are stable enough to survive tokenization and pretty-printing. The `Ular`/`consider` pair is the observed signal; assume there are more that haven't been reverse-engineered yet. A dumb regex pass over your ingestion pipeline is cheap insurance.
For teams evaluating Claude Code against Cursor, Cline, Aider, or Codex CLI: the practical answer is unchanged — Claude Code is still the strongest tool-use agent in the category — but the trust surface just grew. If your compliance team already flags telemetry, this belongs on the same page. The relevant question to raise with Anthropic sales is not "do you do this" (they do) but "what triggers it, what is logged, and can we opt out for the enterprise tier." Expect a fuzzy answer; press anyway.
One more operational note. The auth model for Claude Code already sits on a bespoke OAuth flow with tokens stored under a `claudeAiOauth` wrapper in `~/.claude/.credentials`, and the CLI injects them via env var at spawn time rather than reading them from the file on Linux. That is a lot of ceremony for a developer tool. The steganography finding is consistent with a product team that treats the CLI as a hostile-environment binary — because the environment _is_ hostile from Anthropic's perspective. Whether that stance is reciprocated by paying customers is a separate question.
The interesting move is not Anthropic's — it's whether OpenAI, Google, and the open-weights community respond. If Codex CLI and Gemini CLI ship equivalent canaries in the next quarter, we will have quietly normalized covert client-side fingerprinting as table stakes for frontier tooling. If Anthropic responds to the HN cycle with a documented, opt-outable mechanism, it becomes a footnote. The worst outcome is silence followed by rotated markers, which is also the most likely one. The `Ular` string was findable because someone bothered to look. The next one won't be a misspelling.
Top 10 dev stories every morning at 8am UTC. AI-curated. Retro terminal HTML email.