alexi.sh
All articlesBrowser securityNetwork privacyPrivacy toolingThreat modelingAI codingDev tooling

alexi.shAI Engineering Lab

ai-coding

Claude Code 'Backdoor': What China's Alert Actually Says - And What To Do

PrivSec Lab3 min read
A laptop displaying code in a dimly lit room next to a coffee mug

China's cyber authority flagged a 'backdoor' in Anthropic's Claude Code, and Alibaba banned it. Anthropic calls it an anti-abuse experiment. The facts, both sides, the affected versions, and the practical fix.

China's cyber authority has flagged a "security backdoor" in Anthropic's Claude Code, the popular AI coding tool, and Alibaba has banned it for employees. Anthropic describes the same mechanism as an anti-abuse experiment. According to CBS News, CNBC and Tom's Hardware, here are the facts, both sides, and the practical fix. For background, see our AI coding agent guide.

What was flagged

According to the reporting, China's Ministry of Industry and Information Technology (MIIT) said its cybersecurity threat platform found that Claude Code contained a security back-door. The claim: the tool could transmit sensitive information - including a user's location and identity-related identifiers - back to Anthropic's servers without consent.

Alibaba then banned employees from using Claude Code for work, effective 10 July, and pointed staff to an alternative tool.

Blue ethernet cables connected to a network switch

What Anthropic says

Anthropic's account is different. An engineer on the Claude Code team, Thariq Shihipar, addressed the findings on X, describing the mechanism as an experiment launched in March to prevent account abuse by unauthorised resellers and to protect against model distillation.

In other words, the two sides agree that code existed to detect where a user was - but disagree on its purpose: a covert data-collection backdoor, per the Chinese alert, versus an abuse-prevention check, per Anthropic. We are not in a position to adjudicate intent; both descriptions are on the record.

Which versions, and the fix

The concrete, useful part is the version range. According to the coverage:

  • Affected: Claude Code 2.1.91 to 2.1.196 (released 2 April to 29 June 2026).
  • Latest listed version: 2.1.204 - outside the flagged range.

The low-effort step for anyone using it: uninstall the affected versions or upgrade to the current release.

The wider lesson

Whatever the intent here, the episode is a reminder that an AI coding tool runs on your machine with real access - your files, your environment, and a network connection back to a vendor. That is worth a moment of AI agent security thinking:

  • Know what leaves your machine. Any cloud AI tool sends prompts and context to a server. Check what a tool transmits and when.
  • Follow policy for sensitive code. If you work on regulated or confidential code, apply your organisation's rules on which AI tools are allowed.
  • Keep tools updated. Running the current version is the simplest way to stay clear of a flagged build.

The honest takeaway

Two caveats. First, this is a live dispute: a government alert and a company's explanation, reported by mainstream outlets, not a settled independent audit. We have stated both sides without picking one. Second, the fix is undramatic and the same either way: update Claude Code and know what your tools send.

The honest read: treat any AI coding assistant as software with access and a network link, keep it current, and match your caution to your threat model. If you are weighing alternatives, our Cursor vs Claude Code comparison and best coding LLMs 2026 overview can help.

Photo: Pexels (source)

Also available in

FAQ

What is the Claude Code backdoor alert?
According to CBS News and CNBC, China's Ministry of Industry and Information Technology said its cybersecurity platform found that Anthropic's AI coding tool Claude Code contained a security back-door that could transmit sensitive data - such as a user's location and identity-related identifiers - to Anthropic's servers. Anthropic describes the mechanism differently; see below.
Which Claude Code versions are affected?
According to the reporting, the affected Claude Code versions are 2.1.91 to 2.1.196, released between 2 April and 29 June 2026. Anthropic's site listed 2.1.204 as the latest version. The practical advice is to uninstall the affected versions or upgrade to the current release.
What does Anthropic say about it?
An engineer on the Claude Code team, Thariq Shihipar, addressed the findings on X, describing the mechanism as an experiment launched in March to prevent account abuse by unauthorised resellers and to protect against model distillation. In that account it was a location or China-detection check for abuse prevention, not a covert data-theft backdoor.
Should I stop using Claude Code?
That is your call and depends on your threat model. The low-effort, sensible step for anyone is to upgrade to the latest Claude Code version, which is outside the flagged range. If you handle sensitive or regulated code, review what any AI coding tool sends off your machine and apply your organisation's policy.