China has turned an AI coding tool into the latest flashpoint in its technology rivalry with the United States. The country’s National Vulnerability Database warned on July 8 that several versions of Anthropic’s Claude Code contained what it called “security backdoor vulnerabilities.”
The government-run platform said versions 2.1.91 through 2.1.196 could transmit location and identity information to remote servers without users’ consent. Anthropic disputes the backdoor label, saying the code was an anti-abuse measure designed to identify prohibited access, unauthorized resellers, and attempts to copy Claude’s capabilities.
China and Anthropic dispute the monitoring code
The Chinese database advised users to uninstall the affected releases or update to a newer version, according to reporting on the warning. The versions were released between April and June 2026.
No public independent audit has shown that the mechanism enabled remote control, arbitrary code execution, or theft of source repositories. Reports describing the underlying code instead point to environmental checks involving time zones, proxy addresses, and identifiers associated with Chinese companies and AI laboratories.
Anthropic rejected China’s characterization. A Claude Code engineer said the company introduced the experiment in March 2026 to combat account abuse by unauthorized resellers and model distillation, which uses one model’s outputs to help train another. The company later removed the experimental code after developing other safeguards.
The confirmed presence of an undisclosed monitoring mechanism still creates a transparency problem. Enterprises must be able to distinguish routine product telemetry from controls that classify users by location, network configuration, or access method.
Alibaba reportedly prohibited employees from using Anthropic products beginning July 10 and directed them toward its Qoder coding platform. The decision did not independently validate China’s technical allegations, but it demonstrated how quickly a disputed warning can change corporate software policy.
Geopolitical controls reach developer workflows
Claude Code is gaining broader access to development environments through automation features connected to repositories, scheduled tasks, and external tools. Undisclosed monitoring in those environments carries added risk because repositories may contain proprietary code, credentials, and infrastructure details.
Anthropic previously expanded its regional restrictions to organizations majority-owned by entities in China and other unsupported jurisdictions, including some subsidiaries incorporated elsewhere. The company cited national-security and model-misuse concerns.
Those restrictions help explain Anthropic’s efforts to detect access through proxies, overseas entities, and unauthorized resellers. They also complicate deployments for multinational companies whose ownership, employees, and infrastructure span several jurisdictions. Recent questions about AI access through overseas subsidiaries show how Singapore and other regional hubs can become focal points for enforcing vendor restrictions.
The broader shift from copilots to autonomous workflows gives coding agents greater access to company data and operational systems. Security reviews should document what location, identity, network, and repository data a tool collects, where it is processed, whether telemetry can be disabled, and how new monitoring controls will be disclosed.
China’s warning remains a disputed security finding rather than proof of a conventional backdoor. It nevertheless shows how geographic enforcement and model-protection controls are moving into enterprise software, forcing APAC organizations to evaluate AI tools country by country instead of approving them globally.
Read more: Anthropic is also working with major technology companies on shared defenses against AI-enabled cyberattacks, adding another dimension to its role in enterprise AI security.


