Developers using Claude Code in automated workflows have a new privacy concern to evaluate. A Hacker News thread posted on May 24, 2026, surfaced evidence that Claude Code v2.1.150 introduced mechanisms that allow Anthropic to remotely inject content into the tool's system prompt without deploying a new client update. The feature had existed in earlier versions as non-functional code. As of v2.1.150, released May 22, it became active.
Yes. Claude Code v2.1.150, released May 22, 2026, added two mechanisms letting Anthropic remotely modify its system prompt without a client update: a bootstrap endpoint at api.anthropic.com/api/claude_cli/bootstrap that fires at startup, and the GrowthBook flag tengu_heron_brook, polled every 60 minutes. Set CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1 and DISABLE_GROWTHBOOK=1 to disable both.
What Happened
A user inspecting the Claude Code v2.1.150 binary found two distinct pathways through which Anthropic can modify the system prompt at runtime. The first is a bootstrap call made at startup to api.anthropic.com/api/claude_cli/bootstrap. The second is a GrowthBook feature flag named tengu_heron_brook that polls Anthropic's servers every 60 minutes throughout any active session.
The changelog entry for this version described the change as "Internal infrastructure improvements," which gave no indication that the update touched how system instructions are sourced or refreshed. Security-focused developers in the HN thread noted that prior versions contained the relevant functions (nAA() and n0A()) but that they had no effect. The v2.1.150 build wired them to live endpoints.
The user provided specific commands using npm, tar, and strings to inspect the binary and replicate the findings. Piebald AI's Claude Code system prompt tracker, which documents prompt changes across versions, currently tracks 187 versions since v2.0.14 and provides a reference for comparing what changed and when.
The Two Injection Mechanisms
Understanding how the two mechanisms work matters if you are running Claude Code in any production or automated capacity.
Bootstrap endpoint. When Claude Code launches, it calls api.anthropic.com/api/claude_cli/bootstrap. This call can return content that becomes part of the system context before any user input is processed. Because it fires at startup, any session begun after a server-side change to this endpoint will carry the updated instructions without the client binary changing at all.
GrowthBook polling. GrowthBook is an open-source feature flagging and A/B testing platform. Anthropic runs its own GrowthBook instance for Claude Code. Initial flag values ship baked into the bundle so the tool works offline. Once a network connection is available, however, a GrowthBook client within Claude Code fetches the current flag set and then re-polls every 60 minutes. The flag tengu_heron_brook specifically governs the system prompt injection capability. "Tengu" is Anthropic's internal codename for Claude Code, which explains the prefix on most flags in this namespace.
Taken together, these two mechanisms give Anthropic the ability to modify what Claude Code understands as its operating instructions, both at session start and mid-session, across all installations that have network access.
Historical Context: Claude Code's Expanding Remote Surface
This is not the first time Claude Code's remote capabilities have drawn scrutiny. In April 2026, a source code leak exposed 512,000 lines of the Claude Code TypeScript source. The Register reported that the leak revealed a deny-rule bypass in the bash permission layer, as well as the extent to which Claude Code was architected with server-side dependencies that were not visible to end users reviewing its published documentation.
In October 2025, Anthropic published an engineering blog post detailing their sandboxing approach for Claude Code. That piece emphasized filesystem and network isolation to contain the effects of prompt injection attacks from external sources. The irony is notable: the same network connectivity that Anthropic uses to push instructions into Claude Code is, in their model, also what malicious content from the web could exploit if the injected prompt reached the model's context.
The official Claude Code documentation frames the tool as a developer agent that operates locally, but it has always made outbound API calls for model inference. The bootstrap and GrowthBook additions extend that network dependency into the system prompt layer itself.
Anthropic Has Not Officially Commented
As of the time of this writing, Anthropic has not published any statement acknowledging the bootstrap endpoint or the tengu_heron_brook GrowthBook flag. The changelog entry that covered v2.1.150 remains as originally published, with no amendment to clarify the nature of the infrastructure changes.
The absence of a comment matters beyond the immediate privacy question. Developers who use Claude Code in agentic pipelines, in enterprise environments with strict data governance policies, or in contexts where they need to audit and version-lock the instructions that govern the agent's behavior now face an audit gap they did not previously have to account for. A tool that receives instruction updates independently of its own version number is harder to lock down than one that does not.
Creator Outcome: How to Protect Your Claude Code Workflows
If you use Claude Code for automated creative or development pipelines, here is what you can do right now.
Check your version. Run claude --version to confirm whether you are on v2.1.150 or later. If you are on an earlier version and do not need the latest features, you may choose to stay there until Anthropic clarifies the intent and scope of these endpoints.
Set the mitigation environment variables. Two environment variables disable the relevant network calls:
CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1
DISABLE_GROWTHBOOK=1Set these in your shell profile or in the environment for any process that invokes Claude Code. CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1 suppresses non-inference outbound calls. DISABLE_GROWTHBOOK=1 prevents the feature flag polling entirely. Note that some convenience features dependent on GrowthBook flags may not load when polling is disabled; Anthropic has not published a complete list of what is gated behind these flags.
Audit your agentic pipelines. If Claude Code is part of an automated workflow with elevated permissions, treat it as you would any tool that receives instructions from an external source. Design the workflow so that the scope of what Claude Code can do is bounded by your own configuration, not solely by whatever instructions arrive via the bootstrap endpoint.
Monitor for Anthropic's response. This story was still developing as of May 24, 2026. Watch the Piebald system prompt tracker and official Anthropic release notes for any acknowledgment or policy clarification.
Frequently Asked Questions
What is GrowthBook and why does Claude Code use it?
GrowthBook is an open-source feature flagging and A/B testing platform. Anthropic runs its own instance and uses it to control which Claude Code features are enabled for which accounts. Feature flags let Anthropic roll out new capabilities incrementally, run experiments, and remotely disable features that cause problems without pushing a full client update. The tengu_heron_brook flag is one of many in this namespace; others govern things like auto mode behavior and remote control features.
Can Anthropic see what I am doing in Claude Code?
The bootstrap and GrowthBook mechanisms are outbound calls from Claude Code to Anthropic's servers. They do not, by themselves, send your session content or file contents to Anthropic beyond what already goes to the model inference API. However, if the remotely injected system prompt includes instructions that alter how Claude Code handles tool outputs, that behavior change is invisible to you unless you explicitly inspect the active system prompt before each session.
Does this affect Claude.ai or the Claude API directly?
No. The bootstrap endpoint and GrowthBook integration are specific to the Claude Code CLI tool. Claude.ai and API integrations using the standard Anthropic SDK are not affected by these mechanisms.
Are the mitigation environment variables permanent?
You need to set them each time Claude Code runs, or add them to your shell profile to make them persistent. Setting CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC=1 and DISABLE_GROWTHBOOK=1 in your .bashrc, .zshrc, or equivalent file will apply them to all future sessions automatically.
Will disabling GrowthBook break any features?
Potentially. Anthropic gates some capabilities behind GrowthBook feature flags. When polling is disabled, features that require a server-side flag to be enabled will not load, even if they are available for your account. Anthropic has not published documentation on which specific features depend on GrowthBook availability. If you notice capabilities disappearing after setting DISABLE_GROWTHBOOK=1, that flag is likely the cause.
Should developers stop using Claude Code because of this?
That depends on your threat model and compliance requirements. For individual developers using Claude Code interactively, the practical risk is low and the tool remains among the most capable coding agents available. For teams running Claude Code in automated pipelines with broad file system or network access, reviewing your setup against the mitigation steps above is a reasonable precaution while waiting for Anthropic's official response.
