Skip to content

AI Governance

China's government just warned that a widely used AI coding tool had a hidden tracking feature. Here is what business owners should know before trusting what any AI tool actually does.

On July 8, 2026, China's National Vulnerability Database, run by the Ministry of Industry and Information Technology, issued a formal advisory warning that Anthropic's AI coding tool, Claude Code, contained a built-in mechanism capable of transmitting sensitive information, including a user's location and identity-related identifiers, to remote servers without consent. The advisory names specific affected versions and tells organizations to inspect their systems now. It follows Alibaba's decision, days earlier, to ban staff from using the same tool at work. The direct answer for a business owner: this is not a story about whether to trust China or the United States on AI policy. It is a concrete example of a coding tool with deep access to a company's source code running logic that outside researchers had to discover on their own, because the vendor never disclosed it. Any business that lets an AI coding agent near real code should read this as a prompt to verify, not assume, what that tool is actually doing.

By Fabio Rabelo · Founder, ATLACIS ·

What China's regulator reported

China's National Vulnerability Database (NVDB), a government cybersecurity platform operated by the Ministry of Industry and Information Technology, said in a statement on Wednesday, July 8, that it had identified a security backdoor risk in Claude Code, the AI programming tool built by Anthropic that can write and repair code based on user instructions. According to the statement, a built-in monitoring mechanism in the tool could transmit sensitive information, including a user's region and identity-related identifiers, to remote servers without the user's consent. The warning names specific affected versions, Claude Code 2.1.91 through 2.1.196, and tells organizations and users in China to immediately inspect their systems, uninstall the affected versions or upgrade to the latest release, tighten access controls on external connections from development tools, and increase traffic monitoring on core business networks. Reuters confirmed the statement and reported Anthropic did not immediately reply to a request for comment. The advisory landed days after Chinese tech giant Alibaba banned its own employees from using Claude Code at work, effective July 10, after an internal review classified it as high-risk software over the same alleged issue.

How the mechanism actually worked, according to the reporting so far

The story did not start with the Chinese government. It started in late June, when an independent developer reverse-engineered the Claude Code binary and posted findings on Reddit. According to that reporting, later corroborated by multiple outlets, code present since an April 2, 2026 release checked whether a user had configured Claude Code to route through a non-default API endpoint, the kind of setup used by developers connecting through a proxy or a third-party reseller. If that condition was met, the tool checked the system's timezone against Asia/Shanghai or Asia/Urumqi and checked the proxy hostname against a list associated with Chinese AI labs and resale services. When triggered, reporting describes the tool making small, hard-to-notice changes to its own output, such as swapping a standard apostrophe for a visually similar character, rather than adding any visible flag a user could see. An Anthropic engineer on the Claude Code team, Thariq Shihipar, responded directly on X, saying the mechanism was 'an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation,' adding that the team had 'been meaning to take it down for a while' and that it would be fully rolled back. Cybernews has separately noted that Anthropic's existing privacy policy already discloses collecting the categories of data involved, and that the mechanism only activated under the specific proxy-and-region conditions reported, not for every user on the standard service.

What business owners should not misunderstand here

Do not read this as proof that Claude Code, or AI coding tools generally, are secretly spying on every user. The reported mechanism activated only under a narrow set of conditions, a non-default proxy combined with specific regional signals, and Anthropic says it is being removed entirely. Do not read it as a verdict on whether Anthropic acted maliciously either. The company's own account, that this was an anti-fraud and anti-distillation measure rather than a data-collection scheme aimed at users generally, has not been publicly contradicted, and its existing privacy policy already covers the categories of data described. And do not treat this as a US-versus-China story that requires picking a side. Both governments have grown more assertive about AI model and tool security this year, and a business's response should be the same regardless of which government issued the warning or which company built the tool. What should concern a business owner is the discovery path, not the geopolitics: a mechanism with real access to how a coding tool behaves ran for roughly three months before outside researchers found it through reverse-engineering, not through anything the vendor disclosed in its documentation or release notes.

The operational lesson: a coding agent's disclosed policy is not the same as its verified behavior

Every serious AI vendor publishes a privacy policy or a terms of service. Very few businesses have the technical means, or the reason, to check whether a tool's actual behavior matches what that policy describes, especially for a tool built to autonomously read, write, and execute code with broad system access. That gap is exactly what let this specific mechanism run for months before anyone outside Anthropic noticed. The lesson generalizes well beyond Claude Code: any AI coding agent your team uses, whatever the vendor, has deep access to source code, credentials, and outbound network calls. A business relying on one of these tools is trusting that the vendor's disclosed behavior is the complete picture, and that trust has not, in this case, been independently verified by the business using the tool. That is a normal state for most small and medium businesses today. It should not stay that way for any workflow that touches a codebase with real intellectual property, client data, or regulatory exposure.

What a serious business should do next

Inventory every AI coding tool in use across the business, including tools individual developers or contractors have installed on their own, and note the exact versions in use. Treat AI coding tool advisories the same way you already treat other software vulnerability disclosures: check them periodically, patch or upgrade promptly, and do not assume last quarter's version is still the safe one. Ask each AI coding vendor a direct question: does this tool collect or transmit any metadata beyond what is needed to complete a request, under what conditions, and is any of that behavior undisclosed in the standard documentation. For any workflow that touches sensitive source code, client data, or regulated information, consider basic outbound traffic monitoring on developer machines and CI/CD systems rather than relying solely on vendor assurances. None of this requires switching tools this week. If your business is not routing Claude Code traffic through third-party proxies from the flagged regions, direct exposure from this specific mechanism is unlikely, and reacting by banning a tool outright is not the useful response here. The useful response is starting a recurring habit of verifying AI vendor behavior, not just reading vendor claims once at purchase time.

The Atlacis view

Atlacis does not take a position on the Anthropic-Alibaba dispute or on US or Chinese AI security policy. Those are decisions for governments and the companies involved, not judgments a business owner needs to make. What Atlacis does see is a pattern worth naming plainly: business owners are adopting AI coding tools with real access to their codebases faster than they are verifying what those tools actually do once installed. A privacy policy is a starting point, not a substitute for asking a vendor direct questions and, where the stakes justify it, checking the answer independently. That is a workflow and governance habit, not a one-time vendor decision, and it is worth building before an outside researcher, a competitor, or a foreign government finds the gap for you.

The short version

  • On July 8, 2026, China's National Vulnerability Database formally warned that Anthropic's Claude Code, an AI coding tool, contained a built-in mechanism capable of transmitting user location and identity data to remote servers without consent, naming affected versions 2.1.91 through 2.1.196 and telling organizations to inspect, uninstall, or upgrade immediately.
  • The mechanism was first surfaced in late June 2026 by an outside developer reverse-engineering the tool, not disclosed by Anthropic. An Anthropic engineer later confirmed it existed, described it as a narrowly triggered anti-abuse and anti-distillation experiment from March 2026, and said it is being fully removed.
  • Alibaba banned employees from using Claude Code at work starting July 10, citing the same concern, days ahead of the formal Chinese government advisory.
  • The mechanism activated only under specific conditions, a non-default proxy combined with certain regional signals, not for every user. This is a reason for a measured response, not a reason to dismiss the underlying gap.
  • The lesson generalizes beyond this one vendor or tool. Any AI coding agent has deep access to source code and network calls. Verifying what it actually does, not just reading the privacy policy, matters for any workflow that touches real business value.
Tags:AI governancedata exposurevendor dependencyAI coding toolsAnthropicAI securitybusiness AIAI decision-makingworkflow auditAI risk
FAQ

Common questions

Should my business stop using Claude Code because of this?
Not automatically. The reported mechanism activated only when a user routed traffic through a non-default proxy combined with specific regional signals, Anthropic says it is being fully removed, and the categories of data involved were already described in Anthropic's existing privacy policy. If your business is not using third-party proxy routing from the flagged regions, direct exposure is unlikely. The useful response is checking your Claude Code version against the affected range and upgrading if needed, not reactively switching vendors.
Is this a problem specific to Anthropic, or does it apply to other AI coding tools too?
The specific mechanism reported here is specific to Claude Code. The broader risk is not. Any AI coding agent, from any vendor, has deep access to source code, credentials, and outbound network calls, and most businesses have no independent way to verify that a tool's actual behavior matches its published privacy policy. That gap applies across the AI coding tool category, not to one company.
Keep reading

More from the blog

Anthropic says Alibaba stole Claude's capabilities using 25,000 fake accounts. Here is what business owners should understand about the AI products they buy.

Anthropic accused Alibaba's Qwen AI lab of using roughly 25,000 fraudulent accounts to generate more than 28.8 million interactions with Claude between April and June 2026, with the goal of copying Claude's advanced capabilities into a cheaper competing model. The story surfaced publicly on June 24, 2026, through a letter Anthropic sent to the US Senate Banking Committee. The real business question is not about geopolitics. It is about how to evaluate the AI products you buy when you cannot see what is under the hood.

China is discussing limits on overseas access to its own AI models. Here is what business owners using cheap Chinese AI should know.

Reuters reported on July 7, 2026 that Chinese authorities have held meetings with Alibaba, ByteDance, and Z.ai about restricting overseas access to their most advanced AI models, the same low-cost, high-capability models many businesses have adopted to cut rising AI token costs. Nothing has been decided, and any limits may apply only to future models. Here is what business owners should understand about this new kind of vendor risk before it changes anything about how they use AI.

Your employees are already using AI you did not approve

Nearly half of employees use AI tools their employer never sanctioned, and most share sensitive data when they do. The real AI question is not what to buy next. It is what is already running inside your business.

Make better AI decisions, starting with one call.

Book a free AI Fit Call. We will tell you what to use, what to avoid, and where to start. No jargon, no pressure.