Claude Code Embeds Hidden Steganographic Markers in Requests
Security researchers discovered that Claude Code secretly embeds steganographic markers in requests, raising transparency and data handling concerns for developers using the tool.
July 3, 2026

"The markers are not visible in the rendered output. They are embedded in the whitespace."
That line, from the thereallo.dev investigation published this week, is the part of the Claude Code steganography story that matters most. Not that hidden data exists in the requests - that much is now confirmed - but that it is invisible to casual inspection. You cannot see it in your terminal. You cannot see it in a diff. The only way to find it is to examine the raw byte stream of what Claude Code is actually sending to Anthropic's servers.
How to decide what to do right now
This is not a vulnerability in the traditional sense, so the response depends almost entirely on your threat model. Work through this before deciding whether to act.
If you are a solo developer using Claude Code on personal projects with no client data involved: the practical risk here is low. The markers appear to be session or request identifiers, not content extraction. You can continue using the tool while monitoring whether Anthropic publishes a formal explanation. Check back in two weeks.
If you are using Claude Code in a corporate environment on proprietary codebases: this warrants a conversation with your security team before the next sprint. The concern is not that your code is being transmitted - you presumably accepted that when you set up the tool. The concern is that requests are being tagged in a way that was not disclosed in the documentation or terms of service. That is a transparency gap, and some compliance frameworks treat undisclosed telemetry as a policy violation regardless of what the telemetry actually contains.
If you are on a team subject to SOC 2, HIPAA, or any contractual obligation around data handling with clients: pause Claude Code usage until you have a written statement from Anthropic clarifying what the markers encode and how long they are retained. "We are investigating" is not sufficient for an audit.
If you are a security researcher or want to verify the finding yourself: the thereallo.dev post includes enough detail to reproduce the inspection. You need to intercept the raw HTTP traffic from Claude Code, not the rendered prompt text. A proxy like mitmproxy pointed at the tool's outbound requests will show you what the researchers found.
One thing to check regardless of your situation
Review whether Claude Code is listed as an approved tool in your organization's AI policy. Many teams added it informally, and this incident is a reasonable prompt to formalize that decision with current information rather than assumptions made six months ago.
The mechanism the headline skipped past
Steganography is usually discussed in the context of images: hiding a message in the least significant bits of pixel values, invisible to the eye. The technique applied here is the text equivalent, and it is older than AI tools by several decades. Unicode contains a set of characters that have zero visual width. They do not render. They do not affect layout. They exist, as far as the screen is concerned, as nothing.
But they are not nothing to a parser. A zero-width non-joiner (U+200C) and a zero-width joiner (U+200D) can encode binary data through their presence and absence - a 0 or a 1 depending on which character appears at a given position. String enough of these together between ordinary characters and you have an invisible payload that survives copy-paste, survives rendering in most IDEs, and survives display in a terminal. It does not survive a hex dump.
What the researchers found is that Claude Code appears to be inserting sequences of these characters into the prompts it sends upstream. The sequences are consistent enough across sessions to suggest they are structured, not random. That is what makes this steganography rather than noise: structured, invisible, persistent data embedded in a carrier that looks clean to the naked eye.
Why would a coding assistant do this? The most charitable interpretation is request tracing: a way for Anthropic's infrastructure to correlate API calls across retries, sessions, or abuse investigations without relying on IP addresses or user IDs alone. The less charitable interpretation is more granular user tracking than the privacy policy currently describes. Neither interpretation requires malicious intent. Both require an explanation that Anthropic has not yet provided.
The timing matters here. Claude Code has been expanding rapidly as a product, and Anthropic is simultaneously navigating real pressure from enterprise customers who want detailed audit trails of what their engineers are sending to external AI services. Embedding request markers at the prompt level, rather than the HTTP header level, would survive certain kinds of proxy inspection and logging that strip or ignore headers. Whether that was the design intent is unknown. That it is the functional effect is now documented.
What steganographic encoding looks like in practice
Text-based steganography using Unicode whitespace is straightforward to implement and easy to miss during a standard code review. The encoding scheme works like this: take a sequence of invisible characters and assign a binary value to each character type. A zero-width joiner represents one bit state, a zero-width non-joiner represents the other. Insert them between visible characters in a consistent pattern and you have a covert channel.
To detect whether a string contains these characters, you do not need specialized software. In Python, you can check a string with a simple inspection:
suspicious = "\u200c\u200d"
text = "your_string_here"
hidden = [hex(ord(c)) for c in text if ord(c) in (0x200c, 0x200d, 0xfeff, 0x200b)]
print(hidden)
Zero-width non-joiner is U+200C, zero-width joiner is U+200D, zero-width no-break space is U+FEFF, and zero-width space is U+200B. Any of these appearing in AI-generated output or in the raw prompt text sent by a coding tool should prompt a closer look. The thereallo.dev researchers found consistent patterns in Claude Code's outbound traffic, not occasional noise.
The important distinction is between embedding in the output Claude returns to you versus embedding in the prompt Claude Code sends to the API. The investigation points to the latter: the markers are in the upstream request, not in the code the tool writes for you. That shifts the concern from "is my generated code watermarked" to "is my usage being tagged in ways I did not agree to."
Why proxy log normalization strips the evidence before your security team sees it
A common enterprise control for AI tools is TLS inspection at the network boundary: all traffic to external AI APIs goes through a proxy that logs request and response bodies for security review. This approach catches a lot, but it has a specific failure mode with text-level steganography.
Most proxy logging pipelines normalize or prettify JSON before writing it to a log store. Normalization frequently strips or collapses whitespace. A zero-width character embedded between two visible characters in a JSON string value will often survive the HTTP transit but disappear during log ingestion. The security team reviewing logs sees clean prompt text. The actual bytes that left the machine contained extra data. The audit trail is incomplete.
This is not a theoretical edge case. Teams that discovered the issue reported it after examining raw traffic captures, not log exports. The original investigation makes clear that standard tooling is insufficient for detecting these markers without deliberate configuration to preserve raw byte content.
There is also a subtler problem for teams using AI coding tools in regulated environments: if your data handling agreements require that you log exactly what is transmitted to a third party, and your logs are missing invisible characters that were part of the transmission, you have a compliance gap that existed before this story broke. You just did not know about it. That gap is now your problem to close, not Anthropic's.
The researchers who published this finding are not the last people who will look. Within six months, at least one major enterprise security vendor will ship a Claude Code inspection tool or policy rule specifically targeting Unicode steganography in outbound AI traffic - and Anthropic will have been forced to publish a formal technical explanation of what the markers encode before that happens. If neither of those things occurs by the end of 2025, the finding will have been quietly buried rather than resolved, which would be a more significant transparency problem than the original behavior.
For a broader look at how Claude compares to other AI tools on privacy controls and enterprise readiness, see our Claude vs Gemini comparison. And for coverage of other recent Claude Code findings, see our earlier post on Claude Code spend and alternatives.
Comments
Leave a comment
Some links in this article are affiliate links. Learn more.