China flags Claude Code monitoring mechanism as security backdoor; Anthropic says it's anti-abuse experiment
China's National Vulnerability Database (NVDB), operating under the Ministry of Industry and Information Technology, issued a formal security alert warning that Anthropic's Claude Code contains a backdoor vulnerability that transmits sensitive user information—including location and identity data—to remote servers without consent. The alert affects Claude Code versions 2.1.91 through 2.1.196 (released April 2 to June 29, 2026). China urged developers to immediately uninstall affected versions or upgrade to the latest build (2.1.204). Claude Code itself is not officially approved for use in China, though users access it via VPNs and proxy services.
Anthropic engineer Thariq Shihipar confirmed on X that the monitoring mechanism was an experimental feature launched in March to prevent account abuse from unauthorized resellers and to protect against model distillation—a practice where competitors harvest Claude outputs to train cheaper clones. The company stated it intended to fully roll back the hidden monitoring in subsequent releases and move to transparent tracking if needed. The controversy accelerated after developer Troye Sivan discovered in late June that Claude Code was covertly sending time zone, domain, and identity markers to Anthropic servers, specifically targeting Chinese users.
Alibaba, which Anthropic previously accused of distilling Claude across 24,000 fraudulent accounts in April–June 2026, separately banned its employees from using Claude Code effective July 10 due to security concerns. The incident reflects the broader U.S.-China AI competition and raises transparency questions for tools embedded in development workflows. While Anthropic frames the tracking as a defensive measure against abuse and IP theft, the fact that monitoring was hidden and targeted specific geographic regions has triggered vendor skepticism and prompted national-level incident classification.
Sources
- Primary source
- cnbc.com
“The autonomous coding tool can send sensitive information to a remote server without a user's consent, the statement said in Chinese, according to a CNBC translation. It noted that the information could include a user's location and identity.”
- tomshardware.com
“Anthropic engineer Thariq Shihipar confirmed on X that it was an experiment the company launched in June 'to prevent account abuse from unauthorized resellers and protect against distillation.' He also added that 'this should be fully rolled back in tomorrow's release.'”