Detailed Analysis
Claude Code version 2.1.150, released by Anthropic, introduced a remote system prompt injection mechanism that was discovered through binary analysis by a technically sophisticated user who routinely audits the tool's internals. The mechanism operates through two distinct channels: a network call made at startup to `api.anthropic.com/api/claude_cli/bootstrap`, whose response is also cached to disk, and a GrowthBook feature flag identified as `tengu_heron_brook` that refreshes every 60 seconds via background synchronization. Any string content returned by either of these endpoints is injected directly into the system prompt governing Claude's behavior within the tool. The discoverer verified this through string analysis of the unpacked binary and traced the relevant code paths to specific minified function names, including `nAA` for disk-cache reads and `n0A` for the network fetch. Notably, prior versions of Claude Code contained the injection infrastructure but it was effectively dead code, returning null values — the live activation appears to have been introduced specifically in this version.
The changelog entry for v2.1.150 described the change only as "Internal infrastructure improvements (no user-facing changes)," a characterization the discoverer explicitly challenges as misleading. The significance of this omission is amplified by the fact that Claude Code is an agentic coding tool with direct shell access to users' machines. A remotely injected system prompt in this context does not merely alter conversational tone or response style — it can shape the behavioral instructions of an AI system that is actively executing commands, reading files, and interacting with development environments. The discoverer identified two environment variables, `CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1` and `DISABLE_GROWTHBOOK=1`, as effective mitigations that appear to block the remote injection pathways.
The technical architecture described mirrors practices used by software vendors for feature flagging and A/B testing, with GrowthBook being a well-known open-source experimentation platform. However, applying that infrastructure to the system prompt layer of an AI agent with privileged system access represents a qualitatively different risk profile than, say, toggling a UI element or gating a new feature behind a flag. The 60-second refresh interval for the GrowthBook flag in particular suggests this is designed as a live, operational control channel rather than a one-time configuration mechanism, raising questions about the intended use cases and the governance processes surrounding what content Anthropic might push through these endpoints.
This discovery fits into a broader and intensifying conversation about transparency and user control in agentic AI deployments. As AI coding assistants and autonomous agents gain more access to sensitive environments — file systems, terminals, version control, cloud infrastructure — the question of who controls the behavioral instructions governing those agents becomes a matter of meaningful security concern. Remote prompt injection, even when conducted by the tool's own vendor, introduces a supply-chain-style trust dependency: users operating Claude Code in sensitive or regulated environments must now trust not only the software they installed but also Anthropic's real-time infrastructure decisions. The fact that this was surfaced through independent binary analysis rather than disclosed in release notes underscores a growing tension between vendors' operational flexibility and users' right to audit and understand the systems they deploy.
The episode also highlights the degree to which the open, inspectable nature of npm packages enables meaningful third-party security research on AI tooling. The user's methodology — unpacking a tarball, running `strings`, and grepping for known function patterns — is relatively accessible, and the fact that it yielded substantive findings suggests that more systematic auditing of AI agent binaries may become a standard practice in security-conscious organizations. Anthropic has not publicly responded to this disclosure as of the time the post was written, and the community reaction on Hacker News centered heavily on concerns about disclosure norms, the adequacy of changelogs, and what legitimate operational justifications could exist for a live system prompt control channel in a locally-installed developer tool.
Read original article →