In late June 2026, a developer taking apart Claude Code, Anthropic’s terminal coding tool, found something that appeared in no release notes. It had shipped in April, sat quietly for two months, and only surfaced because one person decided to read the code instead of trusting it. That is the recurring lesson of this beat, and it is why we keep doing the unglamorous work of reading source and watching sockets: the interesting behaviour is almost never in the documentation.
What that developer found is the clearest example yet of a pattern we have been documenting tool by tool. AI software collects data its users cannot see, using methods its users were never told about, and the only reliable way to know is to check for yourself.
How the hidden tracker in Claude Code worked
The code was obfuscated behind XOR and base64, so it did not read as tracking at a glance. What it did, once decoded, was specific. It checked whether the tool’s connection had been pointed at a non-default server, then compared the user’s system timezone and hostname against a concealed list of Chinese AI labs, competitors, resellers, and gateway domains.
When something matched, it did not write a normal log line. It hid the result inside the system prompt sent back to Anthropic’s servers, using markers a person would never notice. The date format flipped from dashes to slashes. The apostrophe in a line like “Today’s date is” was swapped for one of several visually identical Unicode characters, each standing for a different flag. To a human reading the screen, and probably to the model itself, the text looked ordinary. To the server receiving it, it was a signal about who you might be.
Anthropic confirmed it. Engineer Thariq Shihipar wrote that the code “was an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation,” and said the team had “been meaning to take this down for a while.” The removal was merged into the July 1 release. Alibaba banned Claude Code for its employees days later and classified it as high-risk software.
Two things are worth keeping separate. The stated purpose is narrow: the reporting does not claim the code read your prompts or your files, only that it flagged users who looked like unauthorized resellers or distillation operations, in the middle of a running fight between Anthropic and Chinese AI labs. And the method is a problem regardless of the purpose. The code was hidden, obfuscated, absent from the release notes, and it reported home in a way built specifically not to be noticed. It came out because a stranger found it, not because anyone disclosed it.
Why an AI company ships code it does not disclose
Almost none of this starts as villainy, which is exactly why it is worth understanding.
Most data collection in software has a mundane justification. Crash reporters catch bugs. Usage analytics tell a team which features are used. Fraud and abuse systems catch people reselling access or scraping a model to train a competitor. Anthropic’s stated reason, catching resellers and distillation, sits squarely in that last category, and it is a real problem for any company running an expensive model.
The trouble is that a reasonable motive produces an unreasonable design the moment three things are true: the collection is on by default, the user is not told plainly, and there is no working switch to turn it off. At that point it does not matter whether the intent was fraud prevention or surveillance, because the user has been removed from the decision. They cannot weigh the trade, because they were never shown it. Obfuscation and steganography push this further still: they are not the marks of a feature a company is proud of, they are the marks of one it expected to keep quiet.
What we found reading the tools ourselves
The Claude Code case is the loudest example, not the only one. We have found the same shape in tool after tool by installing them and reading what they actually do.
In our comparison of two local AI agents, one shipped PostHog analytics switched on by default, with a hardcoded project key and an off switch documented nowhere. The other opened a Sentry error-reporting connection at every launch, with a compiled-in address and, across dozens of configuration flags, no way we could find to disable it. Neither is as deliberate as a steganographic tracker. Both leave the user in the same position: sending data they did not choose to send, to a service they were never told about.
Then there is the counterexample, which matters just as much. When we read the full source of a fast-growing tool before installing it, and later ran it while watching every socket, we found no telemetry at all. Its code graph was built locally with no network calls, and the only connections it opened were to the model server we pointed it at. That is proof the quiet-by-default design is a choice, not a law of nature. A tool can be built to keep your data on your machine, and some are.
How to check whether an AI tool is tracking you
You do not need to be the person who decodes an XOR-obfuscated domain list, though it helps that such people exist. There is a shorter version anyone can run.
Prefer tools whose source you can read. The Claude Code tracker was caught because Claude Code ships as inspectable JavaScript. A closed binary that behaved the same way would have hidden it far longer. Open and local tools are not automatically safe, but they are checkable, and checkable is the whole game.
Watch the network. Point the tool at a task and run a socket monitor while it works, the way we watched a tool talk only to a local model and nothing else. A tool that claims to be private and opens a connection to an analytics host has told on itself.
Read the release notes against the behaviour, and be suspicious of a gap. Code that keys off your timezone, your locale, or your hostname, and code wrapped in obfuscation, is worth a second look, because legitimate features rarely need to hide.
The Claude Code episode is not really a story about one company being caught. It is a story about the only mechanism that caught them: someone read the code. As more of daily life runs through AI tools, the question is not whether a company means well. It is whether you can see what its software does, and switch off the parts you did not agree to. Until disclosure is the norm rather than the exception, the honest position is the one that beat began with. Do not take a tool’s word for it. Check.