All posts

China warns devs to uninstall Claude Code over data fears

Huma ShaziaJuly 8, 2026 at 7:46 PM5 min read
China warns devs to uninstall Claude Code over data fears

Key Takeaways

China warns devs to uninstall Claude Code over data fears
Source: www.theregister.com
  • China's CNVDB claims Claude Code versions 2.1.91-2.1.196 contain a monitoring mechanism that can transmit user data without consent
  • Anthropic previously admitted to running a covert steganography system to prevent model distillation by Chinese competitors
  • Alibaba has banned staff from using Claude over concerns about user identification

China's National Vulnerability Database is telling developers to immediately uninstall certain versions of Claude Code, claiming the AI coding assistant contains hidden mechanisms that harvest user data. The advisory from CNVDB, a state-run security body, targets versions 2.1.91 through 2.1.196, released between April 2 and June 29, 2026.

CNVDB described the alleged mechanism as "backdoor code" and claimed it can collect user location and identity information, then forward it to remote servers. The organization urged Chinese enterprises to conduct "comprehensive investigations" of development environments and either uninstall affected versions or upgrade to the latest release.

Advertisement

What exactly is China claiming about Claude Code?

In a WeChat post and online statement, CNVDB alleged that a "built-in monitoring mechanism" in the specified Claude Code versions can gather sensitive details about users. The advisory recommended strengthening "control of external access permissions and traffic monitoring of development tools within core business network segments to prevent the unauthorized transmission of sensitive data."

Anthropic did not respond to The Register's request for comment. The company also declined to answer questions last week about a separate but related issue: covert code designed to prevent competing AI companies from extracting information about Claude's architecture.

The steganography system Anthropic quietly removed

The timing of China's advisory is notable. Just days earlier, Claude Code engineer Thariq Shihipar publicly acknowledged that Anthropic had been running an experiment since March to protect against model distillation. This is a technique where AI companies improve their models by training them on outputs from more advanced competitors.

"The team has landed stronger mitigations since then and we've actually been meaning to take this down for a while," Shihipar said. Anthropic removed the secret steganography system in version 2.1.198, released on July 1. That version falls outside CNVDB's advisory range.

When asked whether the mechanism was disclosed in Anthropic's terms of service, the company referred reporters to Shihipar's statement, which did not address the question.

Advertisement

The broader Anthropic-China conflict

This advisory lands amid escalating tensions between Anthropic and Chinese tech companies. Anthropic recently accused Alibaba of using Claude's outputs to train its own models. In a letter to two US senators obtained by Reuters, Anthropic described the incident as the largest attack on its AI systems the company had ever experienced.

Alibaba has responded by banning its staff from using Claude entirely, citing fears the tool could be used to identify Chinese users, according to the South China Morning Post.

The conflict illustrates a widening rift in the AI industry. As American and Chinese AI companies race to develop more capable models, allegations of data harvesting and model theft are becoming flashpoints. Both sides claim the other is engaging in improper data collection.

What should enterprise teams do?

For IT leaders outside China, the CNVDB advisory raises practical questions. If you're running Claude Code in your development environment, version 2.1.198 or later appears to exclude the contested monitoring code, based on Anthropic's own statements about removing the steganography system.

Whether the Chinese claims about data forwarding are accurate remains unverified. Anthropic has not confirmed or denied that the monitoring mechanism transmitted data to external servers. The company's silence makes independent security audits more important for enterprises with strict data governance requirements.

Organizations operating in China face a clearer directive. CNVDB's recommendation carries regulatory weight there, and continued use of flagged versions could create compliance headaches.

ℹ️

Logicity's Take

This story is as much about geopolitics as it is about security. Anthropic's admitted steganography experiment, designed to catch Chinese competitors, gave CNVDB a legitimate hook. Whether the "backdoor" claim is technically accurate or opportunistic framing, the result is the same: Chinese developers now face pressure to avoid Claude entirely. For CIOs evaluating AI coding assistants, this highlights vendor risk beyond traditional security concerns. GitHub Copilot (backed by Microsoft), Amazon CodeWhisperer, and open-source alternatives like Codeium or Tabby offer paths with different geopolitical exposure profiles. The lesson: your AI toolchain now carries supply chain risk tied to US-China relations.

Frequently Asked Questions

Which Claude Code versions are affected by the CNVDB advisory?

Versions 2.1.91 (April 2, 2026) through 2.1.196 (June 29, 2026). Version 2.1.198, released July 1, removed the contested code.

Has Anthropic confirmed the data collection claims?

No. Anthropic has not responded to questions about the CNVDB's specific allegations. The company acknowledged running a steganography system for anti-distillation purposes but did not confirm whether it transmitted user data externally.

Why did Alibaba ban Claude for its employees?

According to the South China Morning Post, Alibaba fears Claude could be used to identify Chinese users. This followed Anthropic accusing Alibaba of using Claude outputs to train its own AI models.

Should enterprises outside China be concerned?

The risk depends on your data governance requirements. Upgrading to version 2.1.198 or later removes the known steganography code. Organizations handling sensitive code should consider independent security audits of any AI coding tools.

Also Read
Google picks 33 cybersecurity startups for Gemini AI forum

Related coverage on AI security ecosystem developments

Also Read
Vercel acquires Better Auth for agent identity push

Context on AI agent authentication and identity concerns

ℹ️

Need Help Implementing This?

Evaluating AI coding assistants for your enterprise? Logicity's consulting team helps IT leaders assess security, compliance, and vendor risk for developer toolchains. Contact us for a confidential assessment.

Source: www.theregister.com

Advertisement
H

Huma Shazia

Senior AI & Tech Writer

Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.