"It is recommended that relevant units and users immediately conduct a comprehensive investigation," China's National Vulnerability Database said on Wednesday, urging developers to remove certain versions of Claude Code over fears those releases contained "backdoor code" that could exfiltrate sensitive data.
CNVDB advisory and recommended actions
The state-run CNVDB published the alert via WeChat and an online statement, saying a "built-in monitoring mechanism" in recent Claude Code releases could collect details such as a user's location and identity and forward them to remote servers. The advisory instructs affected parties to "immediately uninstall or upgrade to the latest secure version with the relevant backdoor code removed" and to "strengthen the control of external access permissions and traffic monitoring of development tools within core business network segments to prevent the unauthorized transmission of sensitive data."
Affected Claude Code versions and timeline
CNVDB specified the advisory applies to Claude Code versions 2.1.91 (released April 2) through 2.1.196 (released June 29). The Register reported the alert and asked Anthropic for comment; the company did not immediately respond. According to The Register's reporting, the secret mechanism was removed in version 2.1.198, which was released on July 1.
Anthropic's experiment, Thariq Shihipar's statement, and the removed mechanism
Claude Code engineer Thariq Shihipar publicly stated that Anthropic launched an experiment in March intended to protect against model distillation — the process by which one company trains on another model's outputs. Shihipar said the team "has landed stronger mitigations since then and we've actually been meaning to take this down for a while." The Register noted that Anthropic did not answer questions last week about the covert code designed to prevent competing AI companies from extracting intel about Claude's inner workings, and that when asked whether the mechanism had been disclosed in Anthropic's terms of service the company referred back to Shihipar's statement; that statement did not address the disclosure question.
Alibaba, Reuters letter, and broader China tensions
The episode has been cited as one factor in deteriorating relations between Anthropic and Chinese firms. The Register reported Anthropic had been in a public spat with Alibaba, accusing the Chinese tech giant of using Claude's outputs to improve Alibaba models. According to a letter to two US senators seen by Reuters, that event was "the largest attack on Anthropic's AI that the company had ever seen." Separately, the South China Morning Post reported that Alibaba banned its staff from using Claude over concerns it could be used to identify Chinese users.
What this means for technologists, enterprises, and regulators
- Technologists and security teams: CNVDB's language focuses on immediate containment — uninstall affected versions or upgrade, restrict external access permissions, and monitor traffic from development tools inside core business networks. The advisory singles out specific version numbers and dates, enabling targeted inventory and remediation.
- Affected enterprises and procurement leaders: Organizations using Claude Code in development environments now have a specific action set: confirm whether versions 2.1.91 through 2.1.196 were deployed, remove or upgrade affected installations, and review vendor disclosure practices after Anthropic referred reporters to an engineer's public statement rather than to contract or terms language.
- Regulators and policymakers: The CNVDB advisory and the public back-and-forth between Anthropic and Chinese companies such as Alibaba underline cross-border operational and disclosure questions. The record shows a public advisory from a state-run vulnerability body, non-response to media queries from the vendor, and an internal engineer's admission that the mechanism had been experimental and later removed.
CNVDB's call to action is precise: uninstall or upgrade and increase internal controls. Anthropic's engineer says the mitigation experiment has been removed, and version 2.1.198 on July 1 reflects that change — but reporters' questions about formal disclosure remain unanswered, and Anthropic did not immediately reply to The Register. The episode ties technical controls to commercial and geopolitical friction: an advisory aimed at developers, a company engineer's public explanation, a vendor non-response to media queries, a high-profile dispute with Alibaba, and a Reuters-sourced letter to US senators describing an attack on Anthropic's AI. Whether the disclosure gap flagged by reporters will be closed by formal vendor documentation — or by further advisory follow-ups from CNVDB — is the concrete question left in this record.




