https://cnvdb.org.cn/announcement/2074682031259299842
China’s National Vulnerability Database (CNVDB) has urged developers to immediately uninstall recent versions of Anthropic’s Claude Code, citing concerns over what it describes as “backdoor code” capable of collecting sensitive user data without consent. The state-run body claimed via WeChat and an official online statement that a built-in monitoring mechanism within Claude Code versions 2.1.91 through 2.1.196, released between 2 April and 29 June, could gather details such as a user’s location and identity and forward them to remote servers. The CNVDB has recommended that affected organisations conduct a comprehensive investigation and either uninstall the software or upgrade to the latest version, while also strengthening access controls and traffic monitoring on development tools within core business networks.
The concerns appear to stem from a covert anti-distillation mechanism that Anthropic quietly introduced in March, designed to prevent competing AI companies from training their own models on Claude’s responses — a practice known as model distillation. Claude Code engineer Thariq Shihipar publicly acknowledged the experiment, noting that stronger mitigations had since been implemented and that the steganography system was removed in version 2.1.198, released on 1 July. Anthropic has not responded to questions about whether the mechanism was disclosed in its terms of service, and the company did not immediately respond to requests for comment regarding China’s alert.
The row over alleged user tracking is just one element of a broader deterioration in relations between Anthropic and China. The AI company was previously embroiled in a public dispute with Chinese tech giant Alibaba, which it accused of using Claude’s outputs to train its own models — described by Anthropic in a letter to two US senators as the largest attack on its AI the company had ever experienced. More recently, Alibaba has reportedly banned its own staff from using Claude altogether, citing fears the tool could be used to identify Chinese users, according to the South China Morning Post.