It turns out that Claude Code was quietly collecting data like user time zones and proxy settings, sending that info back to Anthropic’s servers. The company explained that this was an experimental feature, active since March, designed to prevent account reselling and protect their models from distillation attacks. They even used prompt steganography to hide the code, which is why it went unnoticed until a security researcher dug into how the tool handles data. The good news is that the tracking code has been completely removed, and you can stay protected by simply updating to the latest version of the tool.

This is a great reminder to keep an eye on the tools we use daily, as transparency remains the best way to keep our development environments secure.