What China's regulator reported
China's National Vulnerability Database (NVDB), a government cybersecurity platform operated by the Ministry of Industry and Information Technology, said in a statement on Wednesday, July 8, that it had identified a security backdoor risk in Claude Code, the AI programming tool built by Anthropic that can write and repair code based on user instructions. According to the statement, a built-in monitoring mechanism in the tool could transmit sensitive information, including a user's region and identity-related identifiers, to remote servers without the user's consent. The warning names specific affected versions, Claude Code 2.1.91 through 2.1.196, and tells organizations and users in China to immediately inspect their systems, uninstall the affected versions or upgrade to the latest release, tighten access controls on external connections from development tools, and increase traffic monitoring on core business networks. Reuters confirmed the statement and reported Anthropic did not immediately reply to a request for comment. The advisory landed days after Chinese tech giant Alibaba banned its own employees from using Claude Code at work, effective July 10, after an internal review classified it as high-risk software over the same alleged issue.
How the mechanism actually worked, according to the reporting so far
The story did not start with the Chinese government. It started in late June, when an independent developer reverse-engineered the Claude Code binary and posted findings on Reddit. According to that reporting, later corroborated by multiple outlets, code present since an April 2, 2026 release checked whether a user had configured Claude Code to route through a non-default API endpoint, the kind of setup used by developers connecting through a proxy or a third-party reseller. If that condition was met, the tool checked the system's timezone against Asia/Shanghai or Asia/Urumqi and checked the proxy hostname against a list associated with Chinese AI labs and resale services. When triggered, reporting describes the tool making small, hard-to-notice changes to its own output, such as swapping a standard apostrophe for a visually similar character, rather than adding any visible flag a user could see. An Anthropic engineer on the Claude Code team, Thariq Shihipar, responded directly on X, saying the mechanism was 'an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation,' adding that the team had 'been meaning to take it down for a while' and that it would be fully rolled back. Cybernews has separately noted that Anthropic's existing privacy policy already discloses collecting the categories of data involved, and that the mechanism only activated under the specific proxy-and-region conditions reported, not for every user on the standard service.
What business owners should not misunderstand here
Do not read this as proof that Claude Code, or AI coding tools generally, are secretly spying on every user. The reported mechanism activated only under a narrow set of conditions, a non-default proxy combined with specific regional signals, and Anthropic says it is being removed entirely. Do not read it as a verdict on whether Anthropic acted maliciously either. The company's own account, that this was an anti-fraud and anti-distillation measure rather than a data-collection scheme aimed at users generally, has not been publicly contradicted, and its existing privacy policy already covers the categories of data described. And do not treat this as a US-versus-China story that requires picking a side. Both governments have grown more assertive about AI model and tool security this year, and a business's response should be the same regardless of which government issued the warning or which company built the tool. What should concern a business owner is the discovery path, not the geopolitics: a mechanism with real access to how a coding tool behaves ran for roughly three months before outside researchers found it through reverse-engineering, not through anything the vendor disclosed in its documentation or release notes.
The operational lesson: a coding agent's disclosed policy is not the same as its verified behavior
Every serious AI vendor publishes a privacy policy or a terms of service. Very few businesses have the technical means, or the reason, to check whether a tool's actual behavior matches what that policy describes, especially for a tool built to autonomously read, write, and execute code with broad system access. That gap is exactly what let this specific mechanism run for months before anyone outside Anthropic noticed. The lesson generalizes well beyond Claude Code: any AI coding agent your team uses, whatever the vendor, has deep access to source code, credentials, and outbound network calls. A business relying on one of these tools is trusting that the vendor's disclosed behavior is the complete picture, and that trust has not, in this case, been independently verified by the business using the tool. That is a normal state for most small and medium businesses today. It should not stay that way for any workflow that touches a codebase with real intellectual property, client data, or regulatory exposure.
What a serious business should do next
Inventory every AI coding tool in use across the business, including tools individual developers or contractors have installed on their own, and note the exact versions in use. Treat AI coding tool advisories the same way you already treat other software vulnerability disclosures: check them periodically, patch or upgrade promptly, and do not assume last quarter's version is still the safe one. Ask each AI coding vendor a direct question: does this tool collect or transmit any metadata beyond what is needed to complete a request, under what conditions, and is any of that behavior undisclosed in the standard documentation. For any workflow that touches sensitive source code, client data, or regulated information, consider basic outbound traffic monitoring on developer machines and CI/CD systems rather than relying solely on vendor assurances. None of this requires switching tools this week. If your business is not routing Claude Code traffic through third-party proxies from the flagged regions, direct exposure from this specific mechanism is unlikely, and reacting by banning a tool outright is not the useful response here. The useful response is starting a recurring habit of verifying AI vendor behavior, not just reading vendor claims once at purchase time.
The Atlacis view
Atlacis does not take a position on the Anthropic-Alibaba dispute or on US or Chinese AI security policy. Those are decisions for governments and the companies involved, not judgments a business owner needs to make. What Atlacis does see is a pattern worth naming plainly: business owners are adopting AI coding tools with real access to their codebases faster than they are verifying what those tools actually do once installed. A privacy policy is a starting point, not a substitute for asking a vendor direct questions and, where the stakes justify it, checking the answer independently. That is a workflow and governance habit, not a one-time vendor decision, and it is worth building before an outside researcher, a competitor, or a foreign government finds the gap for you.
The short version
- On July 8, 2026, China's National Vulnerability Database formally warned that Anthropic's Claude Code, an AI coding tool, contained a built-in mechanism capable of transmitting user location and identity data to remote servers without consent, naming affected versions 2.1.91 through 2.1.196 and telling organizations to inspect, uninstall, or upgrade immediately.
- The mechanism was first surfaced in late June 2026 by an outside developer reverse-engineering the tool, not disclosed by Anthropic. An Anthropic engineer later confirmed it existed, described it as a narrowly triggered anti-abuse and anti-distillation experiment from March 2026, and said it is being fully removed.
- Alibaba banned employees from using Claude Code at work starting July 10, citing the same concern, days ahead of the formal Chinese government advisory.
- The mechanism activated only under specific conditions, a non-default proxy combined with certain regional signals, not for every user. This is a reason for a measured response, not a reason to dismiss the underlying gap.
- The lesson generalizes beyond this one vendor or tool. Any AI coding agent has deep access to source code and network calls. Verifying what it actually does, not just reading the privacy policy, matters for any workflow that touches real business value.
Where ATLACIS can help
Sources
- Reuters: China issues 'backdoor' security alert over Anthropic's Claude Code (July 8, 2026)
- Global Times: China issues warning over backdoor security risks in Anthropic's AI coding tool Claude Code (July 8, 2026)
- Reuters: Alibaba to ban employees from using Anthropic's coding tool, source says (July 3, 2026)
- TechCrunch: Alibaba reportedly bans employees from using Claude Code (July 4, 2026)