China Brands Anthropic’s Claude Code a Backdoor Risk, Escalating AI Rivalry With U.S.

China's National Vulnerability Database flagged older Claude Code versions for secretly transmitting user location and identity data, labeling it backdoor code. Anthropic calls the mechanism a short-lived anti-distillation experiment and notes China users were never authorized. The alert intensifies U.S.-China AI tensions amid mutual accusations of model theft and surveillance.
China Brands Anthropic’s Claude Code a Backdoor Risk, Escalating AI Rivalry With U.S.
Written by Maya Perez

China’s state-backed cybersecurity apparatus moved swiftly this week. It flagged specific versions of Anthropic’s popular Claude Code programming tool as carrying a hidden monitoring mechanism. The National Vulnerability Database described the feature as backdoor code. It warned that the software could transmit users’ location data and identity details to distant servers without consent.

The alert landed on July 8. It targeted Claude Code releases from version 2.1.91, issued April 2, through 2.1.196 on June 29. The Register first detailed the CNVDB’s WeChat post and online statement urging immediate audits. Developers in core business networks received blunt advice. Uninstall the affected editions. Or upgrade to the newest build where the mechanism no longer exists. Tighten outbound traffic rules. Watch every development tool.

Short and direct. The language carried weight. “It is recommended that relevant units and users immediately conduct a comprehensive investigation,” the database said. Serious threat. That phrase appeared across official channels.

Anthropic pushed back within hours. The company told reporters the flagged code formed part of a short-lived experiment launched in March. Its purpose centered on blocking model distillation. Rivals had tried to refine their own systems by training on Claude’s outputs. The mechanism used subtle steganographic markers. These markers revealed when queries arrived through Chinese proxies or from certain time zones. Thariq Shihipar, a Claude Code engineer, posted publicly that stronger protections now sit in place. The team removed the system entirely in version 2.1.198 on July 1.

But China saw something different. The built-in monitor gathered location and identity signals. It forwarded them outward. Beijing labeled the behavior unauthorized data exfiltration. And the timing raised eyebrows. Anthropic had already clashed with Chinese labs.

Since February the San Francisco startup accused Alibaba, DeepSeek, MiniMax and others of large-scale distillation attacks. One letter sent to two U.S. senators described the Alibaba effort as the biggest assault Anthropic had faced. Reuters reviewed that correspondence. The company claimed the Chinese firms extracted model capabilities at industrial scale.

Relations soured further. Last week Alibaba circulated an internal notice. Staff must stop using Claude Code by July 10. The South China Morning Post saw the memo. Security concerns topped the list. Now the government warning gives that prohibition official cover.

Anthropic’s latest statement struck a firm tone. Users in China “were never permitted to run it in the first place,” a spokesperson said. The firm’s terms have long barred access from the mainland. Claude itself sits behind national-security restrictions. Yet Chinese engineers kept finding ways in. Overseas proxies. Employer subsidies. The tool gained traction anyway. The Wall Street Journal noted its popularity among researchers despite the blocks.

The episode reveals deeper fractures. U.S. AI developers embed defenses against intellectual-property theft. Chinese authorities view those same defenses as surveillance tools aimed at their citizens. Both sides frame the other’s actions as threats to sovereignty. One side protects models. The other guards data flows.

Legal experts in Hong Kong and Beijing weighed in quickly. Cai Peng of Zhong Lun Lawyers called the tracking “a direct and unacceptable security risk,” citing Anthropic’s adversarial posture. Ben Hu from the Hong Kong China Network Security Association observed that AI supply chains now carry national-security weight. Organizations must vet suppliers with the same rigor once reserved for hardware from sensitive regions. The South China Morning Post captured those assessments on July 9.

Technical details remain sparse. The CNVDB did not publish proof-of-concept exploits or packet captures. No public reports confirm active data theft from Chinese networks. The warning rests on static analysis of the binary or prompt injections. Still, the recommendation is absolute. Remove it. Monitor everything.

Anthropic has stayed largely silent on the precise inner workings. Its earlier X post and statements to The Register emphasized the experiment’s short lifespan and subsequent removal. The company referred questions about terms-of-service disclosure back to Shihipar’s comment. That note never addressed whether users received notice of the tracking.

The broader pattern looks familiar. Washington restricts advanced chips and model weights. Beijing responds with its own controls on data, talent and foreign software. Each move tightens the divide. Enterprises caught in the middle scramble to audit toolchains. They weigh capability against compliance risk.

Claude Code itself represents a leap in autonomous programming. Developers praise its ability to handle complex refactoring and debugging. Yet the very features that make it powerful—deep context awareness, persistent memory across sessions—also create rich data streams worth protecting or exploiting. Location signals tied to developer identities could reveal organizational structure. Project focus. Even supply-chain relationships.

So the stakes climb. One nation sees theft of frontier model knowledge. The other sees covert collection inside its technology corridors. Neither appears ready to trust the other’s assurances.

CNVDB’s post advised organizations to scan development terminals across core segments. The language suggests concern that the tool may have reached sensitive environments. State-owned enterprises. Research labs. Military-adjacent contractors. All now face pressure to purge older builds.

Whether the mechanism truly qualifies as a backdoor depends on perspective. Anthropic built it to detect and deter unauthorized use. From that view it functions as intended. China labels any undisclosed outbound telemetry a threat. The gap between those interpretations will not close soon.

Newer versions have excised the code. Version 2.1.204 stands as the current release, according to Anthropic’s changelog. Compliance-minded teams in China will likely migrate quickly. Others may accept the risk or seek domestic alternatives already sanitized for local regulations.

The incident adds fresh fuel to debates over AI governance. When does anti-abuse engineering cross into surveillance? Who decides? And how do global developers operate when governments on both sides of the Pacific treat their tools as strategic assets?

Answers remain elusive. What is clear is the speed of escalation. A Reddit discovery last week. An engineer’s explanatory post. Then a national vulnerability alert. Corporate bans. Public statements. All within days. The AI contest has moved from model benchmarks to the software that writes the next models.

Developers everywhere should take note. Audit the assistants that audit your code. Track what they phone home. Because governments certainly are.

Subscribe for Updates

AISecurityPro Newsletter

A focused newsletter covering the security, risk, and governance challenges emerging from the rapid adoption of artificial intelligence.

By signing up for our newsletter you agree to receive content related to ientry.com / webpronews.com and our affiliate partners. For additional information refer to our terms of service.

Notice an error?

Help us improve our content by reporting any issues you find.

Get the WebProNews newsletter delivered to your inbox

Get the free daily newsletter read by decision makers

Subscribe
Advertise with Us

Ready to get started?

Get our media kit

Advertise with Us