WPDB prepare – like % – placeholders?

Yes, they’re normal. They were added in 4.8.3 to fix an SQL injection vulnerability.

You can read an article describing the technical reasons for this happening here and the ticket for the change here.

The placeholder characters are replaced by the random characters on the last line of $wpdb->prepare() with the $wpdb->add_placeholder_escape() function, which calls $wpdb->placeholder_escape() internally.

These placeholders are removed in $wpdb->query() by the $wpdb->remove_placeholder_escape() function which is added as a filter to the query hook.