Claude Code v2.1.150 Adds Remote System Prompt Injection via Network

Claude Code v2.1.150 introduces a mechanism that fetches system prompts from Anthropic servers at startup and every 60 seconds via a GrowthBook feature flag, effectively enabling remote prompt injection. The change, labeled as “Internal infrastructure improvements (no user-facing changes)” in the changelog, adds two data sources that inject arbitrary strings into the LLM’s system prompt with shell access.

How It Works

• Bootstrap endpoint: At startup, Claude Code calls api.anthropic.com/api/claude_cli/bootstrap and caches the response to disk.
• GrowthBook feature flag: The flag tengu_heron_brook refreshes every 60 seconds via a background sync. Any string returned by these endpoints is injected into the system prompt.

In previous versions, the injection point existed but was dead code returning null. In v2.1.150, the network fetch was activated in function n0A, and the flag is registered via Rv("heron_brook", () => nAA()). The function nAA reads the cached value from disk.

Blocking the Injection

Users who patch their system prompts (e.g., via tools like tweakcc) can block the remote injection with environment variables:

export CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1
export DISABLE_GROWTHBOOK=1

Verification Commands (Linux x64)

npm pack @anthropic-ai/[email protected] --pack-destination /tmp
tar xzf /tmp/anthropic-ai-claude-code-linux-x64-2.1.150.tgz
strings package/claude | grep -oP 'function nAA\(\)\{[^}]+\}'
strings package/claude | grep -oP '.{0,60}heron_brook.{0,60}'

The minified function names are specific to this binary.

Who It Affects

Anyone running Claude Code v2.1.150 who relies on local prompt patching (e.g., power users, security-conscious developers) or wants to ensure no remote behavior changes without consent.