Versions 2.1.91 through 2.1.196 of Anthropic’s Claude Code are at the center of a dispute after a Chinese cybersecurity platform claimed the tool can transmit sensitive user information — including identity and geographic location — to remote servers without users’ consent.
The Chinese platform’s claim
The platform, identified in reporting as a Chinese cybersecurity group, issued a statement asserting a “backdoor” security concern in Claude Code, specifically calling out versions 2.1.91 through 2.1.196. According to that statement, the mechanism at issue can send sensitive information — the platform named user identity and geographic location — to remote servers without the user’s consent.
The platform described the behavior as a security risk; the report does not include further technical detail in the published statement about how the transmission occurs or which remote endpoints were involved.
Anthropic’s response and intent for the mechanism
Anthropic responded to the claim by characterizing the disputed mechanism as an experimental anti-abuse feature rather than a clandestine backdoor. In its explanation, Anthropic said the mechanism is part of testing intended to limit abusive or malicious use of its models. The company additionally stated that China and other “adversary countries” are not permitted to use its models.
Those two lines — that the behavior was experimental and that access is restricted for certain countries — form Anthropic’s publicly stated defense in response to the platform’s allegation.
Alibaba’s corporate decision and the Qoder alternative
Reuters reported last week that Alibaba, the Chinese e‑commerce company, issued a company-wide ban on the use of the Anthropic tool by its employees. The ban requires employees to rely on Alibaba’s own AI assistant, Qoder, instead of Claude Code.
The Reuters report also references prior friction between the companies: in June, Anthropic accused Alibaba of attempting to extricate Anthropic’s AI capabilities. The Alibaba ban and the June accusation together underline how commercial and national-security concerns are intersecting with AI procurement and workplace tooling in this case.
Technical and operational implications cited in the claims
At the center of the technical dispute is a single, sharply stated allegation: that the tool can transmit user identity and geographic location without consent. Those are precise data types named by the Chinese platform. Anthropic frames the same mechanism as anti-abuse testing, implying a deliberate purpose rather than surreptitious data exfiltration.
The published record supplied in the reporting does not include independent verification of whether data actually left user devices or corporate networks, what telemetry was collected in practice, or whether the mechanism was active in the workplace context cited by Alibaba. It does, however, show how divergent characterizations of the same codebase can lead to operational decisions — here, a corporate ban and a public dispute.
How technologists, policymakers, and procurement leaders are likely to react
- Technologists and security teams: They will focus on the exact versions called out — 2.1.91 through 2.1.196 — and on confirming whether the reported telemetry behavior exists in deployed builds. Teams will want concrete technical indicators to validate or refute the claim and to determine remediation steps.
- Policymakers and regulators: The dispute centers on cross-border access controls and alleged data transmission to remote servers. Regulators watching national-security and data-protection risks will note Anthropic’s statement that “adversary countries” are excluded from model access as a policy claim relevant to oversight and compliance questions.
- Affected enterprises and procurement leaders: Alibaba’s decision to ban the tool company-wide and require internal use of Qoder signals a procurement posture that prioritizes in-house alternatives when provenance or control is in doubt; other enterprises will likely weigh similar operational controls when vendors and codebases present contested security claims.
Two divergent narratives — a Chinese cybersecurity platform’s classification of behavior as a “backdoor” and Anthropic’s framing of the same mechanism as an experimental anti-abuse test — have produced a concrete outcome in the field: a corporate ban reported by Reuters and renewed public scrutiny of specific Claude Code versions. The next concrete steps the record leaves open are technical verification of whether the alleged transmissions occurred, remediation or patching of the named versions if necessary, and whether enterprises that have restricted use will revise that stance once verification is complete.




