DEV Community

Cover image for China Warns of Backdoors in Claude Code, Urges Caution
Dave Kurian
Dave Kurian

Posted on • Originally published at otf-kit.dev

China Warns of Backdoors in Claude Code, Urges Caution

Claude Code is a genuinely capable agentic coding tool. It writes real code, ships multi-file diffs, and handles long-running refactors across an actual project. It also shipped a hidden monitoring mechanism in the April–June 2026 versions that quietly sent user location, identity, time zone, and the domains you were working on to remote servers — with no consent prompt and no UI surface to disable it.

Both of those facts are true at the same time. The first is why so many teams built workflows around it. The second is why we're having this conversation.

The receipts

The Wall Street Journal reported, via Tom's Hardware's coverage of the NVDB statement, that Claude Code versions released between April and June 2026 "can send sensitive information such as user location and identity to remote servers without the user's consent due to a built-in monitoring mechanism." The trigger was a developer named Troye Sivan, who noticed Claude Code was covertly shipping time zone and domain information specifically targeting Chinese users.

That last detail matters. This wasn't a generic telemetry bug. It was directional — aimed at users Anthropic suspected of routing through grey-market resellers. The mechanism knew where it was looking, and it wasn't telling you it was looking.

China's National Vulnerability Database (NVDB) responded by calling the issue a "serious threat" and warning users to either uninstall Claude Code or update to its latest version.

Anthropic's explanation — and what the rollback actually changes

Anthropic engineer Thariq Shihipar confirmed on X that the mechanism was an "experiment" the company launched in June "to prevent account abuse from unauthorized resellers and protect against distillation." He added that it "should be fully rolled back in tomorrow's release."

Two things in that statement are worth pulling apart.

First, the experimental mechanism is being removed. That's the part everyone reads.

Second, and more important: tracking functions "will no longer be hidden and will be baked directly into Claude Code" going forward. That sentence is doing a lot of work. It concedes that yes, telemetry is staying in the product. It promises only that it will be visible.

A tool that ships telemetry you can see and disable is a normal dev tool. A tool that ships telemetry you discover by reading WSJ is the situation Claude Code just lived through. The difference is consent, and consent is the entire product for any binary that has shell access.

The China angle is not what it looks like

On the surface, the NVDB's uninstall-or-update advisory reads as a geopolitical move. Anthropic hasn't approved Claude Code for use in China, and all LLMs operating in the region require government review, which Anthropic's models never went through. So why issue a security warning about a tool nobody's officially allowed to use?

Because Chinese developers are clearly still using it. Through grey-market resellers, proxy networks, and routed access — exactly the population the experiment was built to identify.

Anthropic has publicly accused Chinese AI labs of distilling Claude twice this year. Earlier in 2026 it said DeepSeek, alongside other Chinese developers, created 24,000 fraudulent accounts to train smaller models. In late June it accused Alibaba of the same thing. There are also reports of Claude API access being resold on the grey market at 90% off through proxy networks.

The threat model is real. Reselling distilled access at a 90% discount is a real business. Twenty-four thousand fraudulent accounts is a real number. Anthropic's anti-distillation motive is genuinely defensible.

The implementation — silent egress of identity and location to remote servers with no opt-in — is the part that broke trust. Those are different categories of problem and only one of them is on you to fix.

How to verify your install today

You don't need to wait for a press release. Three checks before you run Claude Code again.

# 1. Confirm what version you have
npx @anthropic-ai/claude-code --version
Enter fullscreen mode Exit fullscreen mode

If you're below the rollback build, pin it. Don't let a teammate's fresh npm install pull a regressed version:

# 2. Pin a known-good version in your project so a fresh
#    install on a teammate's box can't pull a regressed build
npm pkg set devDependencies.@anthropic-ai/claude-code="<pinned-version>"
npm install
Enter fullscreen mode Exit fullscreen mode

For the network-egress question — what the binary is actually sending while it runs — lsof is the cheapest sanity check you can run without installing anything:

# macOS / Linux: list every established outbound socket
# owned by anything matching "claude"
sudo lsof -iTCP -sTCP:ESTABLISHED -P -n | grep -i claude
Enter fullscreen mode Exit fullscreen mode

Anything you don't recognize, look up. If you see outbound connections to hosts that aren't api.anthropic.com, you have a decision to make: pin a version, switch agents, or work offline. If you don't want to think about this at all, that's also a valid answer — Cursor, Aider, Codex CLI, and Continue all sit in the same category and can be evaluated against the same checklist. The hygiene is identical.

The pattern underneath

This isn't really about Claude Code. It's about what happens when an AI agent becomes load-bearing in your development loop.

Anthropic isn't the first vendor to ship an experiment that should have been a setting. Every long-lived dev tool has a moment where product telemetry crosses into something users didn't agree to. The difference is that an agentic tool runs continuously, sees your open files, your terminal history, your network requests, and the project layout you're building toward. Its blast radius when it misbehaves is bigger than a CLI flag toggling itself on.

The lesson is not "stop using agents." The lesson is "stop making the agent the source of truth for your project's structure." Your conventions, your component model, your validated config — those should live in a layer that survives any individual agent changing its behavior, getting compromised, or shipping an experiment you didn't opt into.

[[CONCEPT: a project whose shape doesn't depend on which agent built it]]

This is the part that doesn't change when the model does.

What this gets us

If the same component looks and behaves the same on web, iOS, and Android — one API, one component tree, one set of props — then swapping Claude Code for Cursor for Aider for your human teammate is a config change, not a rewrite. The agent becomes a generator. The project becomes the artifact.

That's a much better position to be in when the next experiment lands — and there will be a next one. Not because Anthropic is uniquely careless, but because every AI vendor is running anti-abuse heuristics against a population that includes your team. Some of those heuristics will be opt-in. Some will be opt-out. Some, like this one, will be hidden until a developer with a sharp eye catches them.

The durable layer underneath — the conventions, the shared component model, the config that validates before the agent runs — is the part of the stack that stays boring while everything else churns.

Closing

Update Claude Code. Read the diff between your pinned version and the next one before you bump it. Watch your outbound sockets the first time you run a new agent build. None of this is paranoia — it's the same hygiene you'd apply to any binary that has root-level access to your dev environment.

The experiment is real. The motive is real. The implementation broke trust. The fix is yours, not Anthropic's.

Top comments (0)