A researcher has identified a mechanism in Claude Code that activates when the user sets the ANTHROPIC_BASE_URL environment variable, which is typically used for local models. This process involves decoding and decrypting a list of suspicious hostnames embedded within the software's code.

  • The hostname list is stored as Base64-encoded data encrypted with a simple XOR operation using a key of 91.
  • Decoding reveals domains belonging to Chinese companies, keywords related to artificial intelligence laboratories, and gateways used to route requests to the Claude API.
  • The complete decoded list has been published online by the researcher at thereallo.dev.

This discovery highlights how environment variables can trigger hidden behaviors in AI tools, potentially routing traffic through third-party resellers or Chinese infrastructure.