中文
← Back to news
ToolsJul 2, 2026

Claude Code Exposed with Steganographic Trojan, Codex Log Bug Writes 640TB Annually: Trust Crisis in AI Coding Tools

Recent severe issues have emerged in AI coding tools. Anthropic's Claude Code has been accused of embedding obfuscated code in binaries since April, using steganography to encode user timezone, proxy, and Chinese AI lab domain names into system prompts to detect unauthorized resale and model distillation. The mechanism employs XOR encryption and Unicode character substitution, making it difficult for users to notice. Claude Code lead Thariq responded that it was an experiment, has merged a rollback PR, and expects to remove it tomorrow.

Meanwhile, OpenAI's Codex was found to have a serious logging bug: the default TRACE level logging causes SQLite database writes of up to 640TB per year, enough to burn out a consumer-grade SSD in a year. The issue stems from a single line with_default(Level::TRACE) configuration that ignores the RUST_LOG environment variable, with at least 9 related issues filed. After the fix, about 15% of writes remain (approximately 96TB per year).

Additionally, Codex recently experienced abnormal quota consumption: a single message exhausting the entire quota, background tasks stealing tokens, failed tasks repeatedly retrying generating "ghost quotas", and misaligned usage statistics. OpenAI has reset quotas multiple times and rolled back related changes.

These two incidents expose systemic flaws in resource budgeting, user trust, and testing processes for AI coding tools. The community criticizes them as "bad software" and questions vendors using user devices as free debugging storage and monitoring tools.

Also available in 中文.