Claude Code's 'China backdoor,' explained — what the hidden tracker actually did, which versions, and what to do
It's not spyware, and it's not nothing. Anthropic quietly shipped a steganographic marker in Claude Code that watermarked requests to catch model distillation and unauthorized resellers — invisible, undisclosed, and keyed to the Asia/Shanghai and Asia/Urumqi timezones. It was removed in 2.1.198 on July 1; a week later China called the older versions a 'backdoor.' Here's the verified middle: what it did, what it didn't, and what to actually do.
On July 8, 2026, China’s National Vulnerability Database (CNVDB) issued an alert calling Claude Code versions 2.1.91 through 2.1.196 “backdoor code” — a “built-in monitoring mechanism” that, it said, collects “a user’s location and identity” and forwards them to remote servers. It told developers to immediately uninstall or upgrade, and to tighten access controls and traffic monitoring. Alibaba had already moved to bar staff from using the tool. If you use Claude Code, that headline is alarming. The reality is narrower, stranger, and worth getting exactly right.
What China flagged traces back to something Anthropic quietly shipped in March and removed on July 1: a covert steganographic marker hidden in Claude Code’s system prompt, built to watermark requests and catch model distillation and unauthorized resellers. It was invisible, undisclosed, and specifically keyed to Chinese timezones — a real trust problem — but on the public reverse-engineering it was not a pipe for stealing your files, location, or identity. This page is the verified middle between “harmless experiment” and “spyware backdoor.” Primary sources are at the end.
The 30-second version
- What China said: on July 8, the CNVDB flagged Claude Code 2.1.91–2.1.196 as containing a backdoor that collects location and identity; it advised uninstall or upgrade. Alibaba banned internal use.
- What it actually was: a steganographic marker Anthropic added in March, hidden in the system-prompt date line, that watermarked requests to detect model distillation and unauthorized reselling.
- Did it steal your data? On the public analysis, no — it tagged and classified requests, keyed to timezone and endpoint. It did not upload your code, credentials, location, or identity.
- Is it still there? No. Removed in 2.1.198 (July 1, 2026). The flagged range ends at 2.1.196.
- What to do: upgrade to 2.1.198 or later. No secret rotation needed; the useful hardening is version review and outbound-traffic monitoring.
What the marker actually did
The mechanism was found by reverse-engineering, by a developer publishing as Thereallo, before Anthropic acknowledged it. According to that analysis, Claude Code silently altered its own system prompt — the instructions sent to the model on every turn — using invisible-to-near-invisible Unicode manipulation of the date line (the innocuous “Today’s date is 2026-06-30” string) and apostrophe characters. The payload was obfuscated with XOR (key 91) and base64, so it read as plain English while carrying a hidden signal.
Two things gated it:
- Endpoint check. It read the configured base-URL environment variable and matched the hostname against a concealed list — decoded at runtime — of known Chinese AI labs, other AI companies, account resellers, and gateway domains.
- Timezone check. It activated on specific system timezones, notably Asia/Shanghai and Asia/Urumqi.
When those conditions matched, the marker encoded a proxy/reseller classification into the request itself. The point was not to phone home with your data; it was to fingerprint the traffic so that if a model were later trained on Claude’s outputs (distillation) or requests were relayed through an unauthorized reseller, Anthropic could recognize its own watermark. In other words: it tagged the request, it didn’t exfiltrate the user.
That distinction is the whole story, so it’s worth stating plainly: a watermark that rides along in the prompt is a very different thing from a monitoring channel that uploads who and where you are. The former is what the code did; the latter is how it was later described.
What Anthropic said
After the reverse-engineering surfaced, Anthropic engineer Thariq Shihipar addressed it publicly, describing it as “an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation,” and adding that the team “landed stronger mitigations since then and we’ve actually been meaning to take this down for a while.” Anthropic removed the mechanism in Claude Code 2.1.198, released July 1, 2026.
What Anthropic has not done is explain the disclosure gap. Asked whether the steganographic tracking was covered anywhere in its terms of service, the company declined to answer and pointed press to Shihipar’s statement, which doesn’t address it. Anti-distillation and anti-fraud measures are ordinary; shipping one that rewrites the prompt invisibly, keyed to a specific country’s timezones, and leaving it in place for roughly three months without disclosure is the part that earns the trust cost — independent of anything a government later says about it.
What China said — and where it diverges
A week after the removal, the geopolitical version arrived. On July 8 the CNVDB — China’s national vulnerability database, under the Ministry of Industry and Information Technology — published an alert describing versions 2.1.91–2.1.196 as backdoor code with a built-in monitoring mechanism that “collects details such as a user’s location and identity, and forwards them to remote servers,” and recommending users “immediately uninstall or upgrade to the latest secure version with the relevant backdoor code removed” while strengthening access controls and traffic monitoring. Separately, per South China Morning Post reporting, Alibaba told staff to stop using Claude Code because it “could be used to identify Chinese users.”
Set the advisory next to the code and one claim is solid and one is stretched. Solid: the mechanism was covert, undisclosed, and specifically singled out Chinese-timezone and Chinese-lab traffic — so “it treated Chinese users differently, without telling them” is defensible, and “could be used to identify Chinese [reseller] traffic” is close to its actual purpose. Stretched: “collects a user’s location and identity and forwards them to remote servers” describes a data-exfiltration channel, and that is not what the public analysis found. The marker keyed on your timezone; it did not send your location. Both framings can be quoted accurately — which is exactly why it helps to know which part of each is load-bearing.
Which versions, and what to do
| Affected (flagged by CNVDB) | Claude Code 2.1.91 – 2.1.196 |
| Marker removed | 2.1.198 (July 1, 2026) |
| What it required | your timezone + base-URL hostname; not your code, files, or credentials |
| What to do | upgrade to 2.1.198 or later (or current) |
Concretely:
- Upgrade.
claude updateor reinstall the current release; confirm withclaude --versionthat you’re at 2.1.198 or above. That alone resolves the flagged behavior. - Don’t panic-rotate. Because the marker never touched your source or secrets, there’s nothing here that warrants rotating API keys or credentials. (Rotate on your normal schedule, not because of this.)
- Do harden the update path. The durable lesson isn’t this one marker — it’s that a CLI which auto-updates and runs with your permissions can change what it does between versions, silently. Pinning versions and reviewing release diffs, and watching outbound traffic from AI tools, are reasonable controls for any team that needs them. See what AI agents actually write to your disk and the CLAUDE.md attack surface for the adjacent trust boundaries.
The real lesson
The specific marker is gone, and it was narrower than the “backdoor” headline. But strip away the US–China framing and a plainer fact remains: a vendor shipped undisclosed, region-targeted behavior into a tool that millions of developers run with full access to their machines, and left it there for months. Nothing about that required a government to make it a problem — it was a problem the moment it was invisible and unconsented.
That’s the same trust question the Fable 5 suspension raised from a different angle: a tool you rely on can change under you — by a vendor’s quiet experiment, or by a government order — on a timeline you don’t control. It doesn’t mean don’t use Claude Code; it’s the best agent for a lot of work, and the verdict page still says so. It means the boring hygiene — know your version, read the diffs, watch the traffic, keep a fallback — stopped being optional.
Companion reading
- What AI coding agents write to your disk — where these tools store state, and what leaves your machine
- The CLAUDE.md attack surface — the other place instructions get injected into an agent invisibly
- Claude Fable 5 suspended, then restored — the same “a trusted tool changed under me” problem, by government order
- Best AI coding agents, 2026 verdict — where Claude Code lands when you weigh this against the capability
- GhostApproval: the symlink flaw in six coding agents — the same trust boundary, tested from the repository’s side
Sources
- China warns about AI risks with Anthropic’s Claude Code — CNBC
- China tells devs to ditch Claude Code over ‘backdoor code’ fears — The Register
- Anthropic is removing its covert code for catching Chinese competitors — The Register
- Claude Code’s hidden tracker was an “experiment,” says Anthropic — Malwarebytes
- China warns of “security backdoor” in Anthropic AI coding tool — CBS News
FAQ
Did Claude Code have a backdoor? China’s National Vulnerability Database labeled versions 2.1.91–2.1.196 “backdoor code” on July 8, 2026. What reverse-engineers actually documented was a covert steganographic marker Anthropic added in March to watermark requests and catch model distillation and unauthorized resellers — not a channel for exfiltrating your files, location, or identity. It was invisible and undisclosed, which is a genuine trust problem, but “backdoor that steals your location and identity” overstates what analysts found. Anthropic removed it in 2.1.198 on July 1, 2026.
What did the hidden tracker actually do? Per reverse-engineering by the developer known as Thereallo (reported by The Register), Claude Code embedded an invisible steganographic marker in the system prompt’s date line using Unicode manipulation, XOR (key 91), and base64. It checked the configured base-URL hostname against a concealed list of Chinese AI labs, other AI companies, resellers, and gateways, and activated on the Asia/Shanghai and Asia/Urumqi timezones. The effect was to watermark and classify requests so Anthropic could detect distillation and reseller abuse — not to upload your code, location, or identity.
Which versions are affected, and is it still there? China’s advisory names 2.1.91 through 2.1.196. Anthropic removed the mechanism in 2.1.198, released July 1, 2026. If you’re on 2.1.198 or later, the marker is gone; if you pinned an older version in that range, upgrade.
What should I do about it? Upgrade Claude Code to 2.1.198 or later. If your organization needs assurance, the practical controls are the same ones the advisory recommends: pin and review versions instead of blind auto-updating, and monitor outbound traffic from AI CLIs. The marker never required your source or credentials, so rotating secrets isn’t necessary on its account.
Did it collect my location and identity like China’s advisory says? That’s China’s characterization. The documented mechanism keyed on your system timezone (Asia/Shanghai, Asia/Urumqi) and the API endpoint hostname, and it tagged requests rather than uploading personal data. It’s fair to say it treated Chinese-timezone and reseller traffic differently, covertly and without disclosure; it’s not accurate, on the public analysis, to say it forwarded your identity and location to remote servers.
Was this helpful?
Related reading
- GhostApproval, explained — the symlink flaw that lets a malicious repo trick AI coding agents into writing outside your workspace
- Codex vs Claude Code usage limits in 2026 — same rules now, very different mileage
- Claude Tag, explained — what Anthropic's Slack agent does, who can use it, and the 65% claim worth reading twice
Reviews independently produced · Editorial policy
Read more reviews →