- What: A widely-shared report claims a popular AI coding tool, when it detects that its API traffic is routed through a custom proxy, quietly changes its own output, swapping the dash in a date line for a slash and flipping between visually identical Unicode apostrophes, to signal that environment. A human never sees it; a receiving server reads it instantly.
- Why it matters: Your AI tools read your files, edit your repos, and run commands in your terminal. If a tool can also alter what it emits based on detecting your environment, the tool itself becomes a covert channel, and no firewall inspects the choice between one apostrophe and another.
- The class: homoglyph and format steganography. Not malware, not an exploit, not an anomalous packet. The signal rides inside the legitimate text your tools produce.
- The defense: inspect the characters themselves, correlate output-format drift with environment changes, score the variant choices for hidden structure, and sanitize the text in transit before it reaches upstream or your codebase.
We keep saying the ground is shifting under security teams, and here is a clean example of what that actually looks like. A report circulating this week alleges that a popular AI coding assistant behaves differently when it notices its traffic passing through a third-party API proxy. Instead of sending a visible tracking beacon that a corporate firewall could inspect or block, the claim is that the tool hides the signal inside the text of the prompt itself.
The mechanics described are almost elegant. A standard date like 2026-06-30 becomes 2026/06/30. A plain apostrophe (U+0027) is swapped for a curly one that looks identical on screen (U+2019). To a person reviewing the output, nothing is wrong. To a server that knows to look, the pattern of those choices is a message.
We are not here to litigate whether that specific report is accurate or overstated, and we are not accusing anyone of intent. What matters for defenders is that the technique is real, it is not new to the covert-channel literature, and it is now landing on tools that sit inside your most trusted workflows.
Why this is genuinely hard
Traditional controls look at the wrong layer. A firewall inspects packets. A DLP engine matches patterns and keywords. An EDR watches processes and files. None of them are built to notice that the twelfth apostrophe in a generated file is U+2019 instead of U+0027, or that your tool started writing slashes in dates only after you routed it through a proxy. The signal is inside content that is supposed to be there, produced by a tool you installed on purpose.
And this runs both directions. The same character-level tricks that let a tool signal outward, homoglyphs, zero-width characters, look-alike Unicode, are exactly how a prompt-injection payload or a poisoned dependency hides instructions from a human reviewer while staying perfectly readable to the model. The covert channel is not picky about which way it points.
The trust boundary just moved
The old assumption was simple: if the output of your tools looks right, it is right. That assumption is gone. An AI agent with permission to read your files, edit your repositories, and run your terminal is a lot of trust to extend to a process whose output you can no longer eyeball for tampering. When a tool that powerful starts making choices you cannot see, "it looked fine" stops being a control.
How Caver catches this, even from your own tools
This is exactly the problem our AI inspector layer was built for. Caver treats your AI tools as monitored subjects, not trusted black boxes. It captures the tool's inputs and outputs at the gateway and inspects them at the level where the signal actually lives:
- Character-level analysis. Every text field the tool produces or sends is checked at the code point. Non-canonical apostrophes and dashes, zero-width characters, mixed-script confusables, anything that should be plain ASCII but is not, gets flagged.
- Environment-conditional drift. Caver baselines how a tool normally formats its output, then watches for format changes that track an environment change: a proxy appearing, an egress path shifting. A stylistic quirk is noise. A stylistic quirk that switches on the moment you change your network is a covert channel.
- Covert-channel scoring. The distribution of those variant choices is measured for structure. Random style is random. A bit-string encoded in apostrophe selection is not, and it shows up statistically.
- Egress correlation. The character anomalies are joined against the tool's outbound connections in the same lake, so "the output changed" and "the tool phoned home" become one timeline instead of two disconnected alerts.
And then we sanitize
Detection is only half of it. Because Caver sits in the path, it can neutralize the channel as well as see it. Text is normalized in transit, Unicode canonicalized, look-alike punctuation folded back to plain ASCII, zero-width characters stripped, before it reaches an upstream service or lands in your codebase. Even if a trusted tool tries to embed a signal, the signal does not survive the trip. Detect it, and sanitize it.
Things are getting complicated, and this is the cutting edge of it: the covert channel is no longer a rogue packet, it is a character you cannot see, emitted by a tool you chose to trust. The teams who stay ahead are the ones inspecting the characters themselves and sanitizing what gets sent. That is the job Caver was built for.
Worried about what your AI tools are emitting?
RedEye Security and Caver give you inspection and sanitization at the layer where these signals actually hide.
Talk to us