China’s cybersecurity watchdog has flagged Anthropic’s Claude Code as a security risk, saying the AI coding tool contains a “back-door vulnerability” that can quietly transmit user data—including location and identity details—to remote servers without consent. The warning, issued Wednesday by the country’s National Vulnerability DataBase (NVDB), a government-run platform operating under the Ministry of Industry and Information Technology, names specific version numbers and tells organisations to act immediately, rather than simply flagging a vague concern.The timing makes this more than a routine advisory. It lands just weeks after Anthropic accused Chinese tech giant Alibaba of running an industrial-scale campaign to extract its AI capabilities, and days after Alibaba banned its own staff from using Claude Code at work. What started as a dispute over data and distillation has now escalated into dueling accusations, with each side accusing the other’s AI tools of posing security risks, and the fallout is starting to reshape how companies in both countries approach cross-border AI tools altogether.
Claude Code security flaw: what China’s watchdog found
The NVDB said in a statement posted on WeChat that several versions of Claude Code carry a built-in monitoring mechanism capable of sending sensitive information to external servers without users knowing. The affected versions are 2.1.91 through 2.1.196—essentially every release between April 2 and June 29 this year. Anthropic’s current version, as of Wednesday, is 2.1.204.The agency called this a “serious threat” and told organisations and individual users to either uninstall the flagged versions immediately or upgrade to the latest build, where the alleged backdoor code has reportedly been stripped out. It also pushed companies to tighten external network access for developer tools and ramp up traffic monitoring on core business systems to stop any unauthorised data transfers.Anthropic hasn’t responded to requests for comment on the Chinese statement.
Alibaba-Anthropic AI dispute behind the backdoor row
This didn’t come out of nowhere. Last week, a Reddit post alleged that Anthropic had built in hidden code specifically to detect when someone was using Claude Code from within China. An Anthropic employee responded on X, saying the mechanism was part of an experiment that began back in March, meant to catch unauthorised resellers and guard against model distillation—where a weaker AI model is trained using a stronger one’s outputs.That explanation hasn’t cooled things down. Alibaba had already told its staff to stop using Claude Code at work starting July 10, after putting the tool on a high-risk software list. Employees have reportedly been asked to switch to Alibaba’s own coding assistant, Qoder, instead.The backdrop here matters too. Anthropic sent a letter to the US Senate Banking Committee last month accusing Alibaba of running the “largest known distillation attack” against it to date, claiming affiliated operators used roughly 25,000 fraudulent accounts for nearly 29 million exchanges with its models between April and June.China has never officially approved Anthropic’s services for public use, and Anthropic itself restricts access from China on national security grounds. Despite that, Claude has remained popular with Chinese researchers and engineers, many of whom access it through overseas proxies—often subsidised by their employers.For now, neither Anthropic nor Alibaba has issued a fresh statement following NVDB’s latest warning, leaving the standoff exactly where it was: unresolved, and getting more public by the week.
