Claude Code Security Just Got a New Line Item: The Vendor Itself

China's regulator flagged Claude Code for undisclosed location tracking this week, and Anthropic confirmed it. Here is what a vendor telemetry admission means for an engineering org's code-risk checklist.
China's National Vulnerability Database flagged Claude Code for a "security backdoor" on July 8, and Anthropic confirmed it had shipped undisclosed code tracking user location and lab affiliation since March. Alibaba banned the tool for staff on July 10. The engineering angle most board memos will miss: this wasn't a competitor's harness with a permissions gap, it was the vendor itself, and nobody found it until a developer did.
On July 8, China’s National Vulnerability Database posted three sentences about Claude Code that read like an advisory against a hostile actor. It said it had detected that the tool “contains security backdoor risks, posing a severe threat,” and that the risk involved sending user location and identity data back to Anthropic’s servers without consent. Two days earlier, Alibaba had already told its staff to stop using it, calling it “high-risk software with security vulnerabilities.” By July 9, Anthropic wasn’t denying the mechanism existed. It was arguing about jurisdiction.
That’s the part worth sitting with. Every claude code security conversation this year has been about the tool’s permission model, its sandbox boundaries, its MCP allowlists. This week the question moved one layer up, to the vendor relationship itself.
What Anthropic Actually Built, and Why It Took a Developer to Find It
Here’s what happened, stripped of the geopolitics. In March, Anthropic’s Claude Code team shipped a hidden mechanism that checked a session’s base-URL environment variable for proxy overrides, read the system timezone, and cross-referenced hostnames against a list of Chinese AI labs, competitors, resellers, and gateway domains. When it found a match, it silently altered the system prompt using invisible Unicode markers, with the classifications themselves obscured through XOR encryption and base64. None of this appeared in the terms of service.
Thariq Shihipar, the Anthropic engineer who explained it publicly, was straightforward about the motive: “This is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation.” He added that the team had “actually been meaning to take this down for a while.” The removal shipped July 1.
The motive checks out. Anthropic told the Senate Banking Committee in a June 10 letter that operators tied to Alibaba’s Qwen lab had run roughly 28.8 million exchanges with Claude through about 25,000 fraudulent accounts between April and June, the kind of large-scale distillation attempt that actually does threaten a model vendor’s IP. I believe that problem was real. What I don’t believe is that the fix belonged in a shipping product, undisclosed, discovered by chance.
"Affected are Claude Code versions 2.1.91 through and including 2.1.196."
That’s over a hundred point releases carrying a mechanism nobody outside Anthropic knew was there. Not a single one of those changelogs mentioned it.
Why a Claude Code Security Review Should Add a Vendor-Telemetry Line
Most engineering orgs have spent this year building a real audit habit: MCP server allowlists, permission modes, sandbox egress rules, a kill switch that actually gets tested. That checklist assumes the risk lives in what gets configured, or in what a third-party extension does. This week’s story is the first mainstream one where the risk lived in the harness vendor’s own code, shipped by design, and justified after the fact.
Three questions belong on the next claude code security review that probably weren’t there before:
Undisclosed vendor telemetry is a code-risk category of its own, separate from the permission and MCP risks most teams already track. The audit question isn't just "what can our harness see," it's "what does our harness send home that nobody would find without a developer stumbling onto it."
First: does the current contract or terms of service actually list everything the tool sends back to the vendor? Most engineering leaders I’ve talked to this year assumed the answer was yes and never checked. Second: if a vendor found itself defending a legitimate business interest (IP theft, account abuse, whatever it is), would it disclose that before shipping a fix, or only after someone found it? Third: who owns the job of periodically checking, not the vendor’s marketing page, but actual outbound network behavior?
None of this requires distrusting Anthropic specifically, or assuming every harness vendor is hiding something. It requires treating vendor telemetry as its own line on the register, the same way MCP servers and browser extensions already earned one.
The Facts in 60 Seconds: Versions, Dates, and What Anthropic Admitted
July 8: China’s National Vulnerability Database flags Claude Code, alleging transmission of location and identity data without consent. July 9: Anthropic’s public position is jurisdictional, that Chinese users “were not supposed to be using it in the first place,” not a denial the mechanism existed. July 10: Alibaba’s ban takes effect, and coverage confirms the affected range, versions 2.1.91 through 2.1.196, removed in 2.1.198 on July 1. No CVE was ever assigned. The mechanism’s stated purpose, blocking a genuine distillation campaign, was disclosed by Anthropic only after a developer found it, not before it shipped.
What to Check Before the Next Harness Renewal
The point here is to feel equipped, not alarmed. This isn’t a reason to rip out Claude Code, and it isn’t evidence that one harness vendor is worse than another on this particular axis, because none of them have been tested this publicly yet. It’s a reason to add one item to the next renewal conversation: ask the vendor, in writing, what the tool sends home that isn’t in the product docs, and what its disclosure process looks like the next time it decides something needs to be tracked quietly. The distillation problem was real. The next undisclosed fix for a real problem is one worth hearing about from the vendor directly, not from a regulator on the other side of the world.
Sources
- China warns of 'security backdoor' in Anthropic AI coding tool - CBS News, 2026-07-08
- Anthropic hits back after China warns of Claude Code 'backdoor' risks - South China Morning Post, 2026-07-09
- China vulnerability database warns about Claude Code - Igor's Lab, 2026-07-10
- Alibaba bans staff from using Claude Code over Anthropic spyware concerns - South China Morning Post, 2026-07-03
- Anthropic is removing its covert code for catching Chinese competitors - The Register, 2026-07-01
- Anthropic Says Alibaba Used 25,000 Fake Accounts To Distill Claude - Forbes, 2026-06-26