China Warns Of Security Backdoor In Anthropic's Claude Code Tool
China's National Vulnerability Database issued a public warning on Wednesday, July 8, 2026, saying Anthropic's Claude Code contains a "security backdoor" that can transmit sensitive data to Anthropic servers without user consent.[1]
The NVDB urged users and institutions to immediately inspect systems using Claude Code and to uninstall or upgrade to a version where the alleged backdoor has been removed.[1] Alibaba has instructed employees that use of Claude Code will be banned starting July 10, 2026, citing security concerns tied to the tool.[1] Anthropic engineer Thariq Shihipar had earlier acknowledged a March experiment that tracked certain signals to combat unauthorized resellers and said it would be fully rolled back in an upcoming release.[1]
In March 2026, Anthropic launched an internal experiment to detect and block unauthorized resellers and model distillation. That monitoring code shipped silently in Claude Code version 2.1.91 on April 2, 2026, and checked for China-linked timezones, proxies and domains before encoding findings into requests sent to Anthropic servers. A Reddit user reverse-engineered and exposed the obfuscated tracking logic on June 30, 2026, prompting researchers and regulators to scrutinize the tool. Anthropic says operators linked to Alibaba used nearly 25,000 fake accounts to generate about 28.8 million interactions with its Claude model between April and June 2026. Anthropic described that activity as the largest known distillation attack to date.
Some analysts and researchers say the fingerprinting triggered only for custom API endpoints and encoded signals via small prompt changes rather than using a separate data exfiltration channel. Still, China's advisory has already prompted firms and state-linked organizations to disable or re-evaluate Claude Code inside China.
The mainstream summary does not mention the scale of the alleged misuse of Claude Code, specifically that operators linked to Alibaba reportedly generated approximately 28.8 million interactions with Anthropic's model using nearly 25,000 fake accounts, which Anthropic described as the largest known distillation attack to date. This context highlights the severity of the security concerns raised by China's National Vulnerability Database, suggesting a more extensive threat than the summary implies. Furthermore, while the mainstream account frames the issue primarily around a security backdoor, social media insights reveal that the fingerprinting mechanism in Claude Code activates only for custom API endpoints and encodes signals through subtle prompt changes, rather than through a separate data exfiltration channel. This nuance is critical, as it suggests that the nature of the data transmission may not be as overtly malicious as the term 'backdoor' implies, complicating the narrative of intentional wrongdoing by Anthropic. Moreover, the summary does not address the implications of the U.S.-China technological competition, which is a crucial backdrop influencing the scrutiny of AI tools like Claude Code.
Show source details & analysis (1 source)
π Relevant Data
Anthropic reported that operators linked to Alibaba used nearly 25,000 fake accounts to generate approximately 28.8 million interactions with its Claude model between April and June 2026 in what the company described as the largest known distillation attack to date.
Anthropic says Alibaba illicitly extracted Claude AI model capabilities β Reuters
π Key Facts
- On Wednesday, July 8, 2026, Chinaβs National Vulnerability Database issued a public warning that Claude Code contained a 'security backdoor' able to transmit sensitive data to Anthropic servers without user consent.
- The NVDB urged users and institutions to immediately inspect systems using Claude Code and to uninstall or upgrade to a version where the alleged backdoor code has been removed.
- Alibaba has instructed employees that use of Claude Code will be banned starting July 10, 2026, citing security concerns tied to the tool.
- Claude Code engineer Thariq Shihipar previously acknowledged an experiment launched in March that tracked certain data to combat unauthorized resellers and distillation, and said it would be fully rolled back in an upcoming release.
π° Source Timeline (1)
Follow how coverage of this story developed over time