<?xml version="1.0" encoding="UTF-8"?>
<rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:dc="http://purl.org/dc/elements/1.1/">
  <channel>
    <title>DEV Community: Aria Kovac</title>
    <description>The latest articles on DEV Community by Aria Kovac (@ariakovac).</description>
    <link>https://dev.to/ariakovac</link>
    <image>
      <url>https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F4009441%2Fc47eace3-e41c-4e7d-b333-9829f76dc6c1.png</url>
      <title>DEV Community: Aria Kovac</title>
      <link>https://dev.to/ariakovac</link>
    </image>
    <atom:link rel="self" type="application/rss+xml" href="https://dev.to/feed/ariakovac"/>
    <language>en</language>
    <item>
      <title>The Claude Code “Trojan” Panic Is Really About Trust</title>
      <dc:creator>Aria Kovac</dc:creator>
      <pubDate>Thu, 02 Jul 2026 09:02:26 +0000</pubDate>
      <link>https://dev.to/ariakovac/the-claude-code-trojan-panic-is-really-about-trust-2k9f</link>
      <guid>https://dev.to/ariakovac/the-claude-code-trojan-panic-is-really-about-trust-2k9f</guid>
      <description>&lt;p&gt;What I changed in my AI tooling audit after the latest Anthropic controversy&lt;/p&gt;

&lt;p&gt;Last week, a thread about Claude Code started moving through my feeds in three languages.&lt;/p&gt;

&lt;p&gt;In English, people called it geofencing.&lt;/p&gt;

&lt;p&gt;In Chinese, people called it a “Trojan.”&lt;/p&gt;

&lt;p&gt;In my work Slack, someone asked the practical question: “So, should we uninstall AI coding tools from company laptops?”&lt;/p&gt;

&lt;p&gt;That was the moment I paid attention.&lt;/p&gt;

&lt;p&gt;I work as a customer support engineer at a cross-border e-commerce company in Amsterdam. Most days, I deal with messy human systems: angry customers, multilingual tickets, half-broken automations, API logs, and the strange middle layer where software decisions become customer pain.&lt;/p&gt;

&lt;p&gt;So when developers argue about whether Claude Code secretly checked IP addresses, system language, proxy behavior, or account identity signals, I do not read it only as an AI news story.&lt;/p&gt;

&lt;p&gt;I read it as a trust story.&lt;/p&gt;

&lt;p&gt;And trust, once it enters a workflow, needs logging.&lt;/p&gt;

&lt;h2&gt;
  
  
  First: I Don’t Like the Word “Trojan” Here
&lt;/h2&gt;

&lt;p&gt;The word “Trojan” does a lot of emotional work.&lt;/p&gt;

&lt;p&gt;It suggests malware. It suggests deception. It suggests that a tool entered your system as one thing and behaved as another.&lt;/p&gt;

&lt;p&gt;Maybe that is why the term spread so fast. It captured the feeling many developers had: “Wait, this coding assistant I invited into my terminal may also be evaluating whether I am allowed to exist as a user?”&lt;/p&gt;

&lt;p&gt;That feeling is real.&lt;/p&gt;

&lt;p&gt;But I would still separate three things:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;1. Malware behavior
2. Telemetry and fraud detection
3. Policy enforcement based on location or identity
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;They are not the same.&lt;/p&gt;

&lt;p&gt;A tool that steals secrets is one category. A tool that collects usage data is another. A tool that enforces regional restrictions using IP, identity verification, device signals, or proxy detection is another again.&lt;/p&gt;

&lt;p&gt;The trust problem begins when users cannot tell which category they are in.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Important Part Is Not China
&lt;/h2&gt;

&lt;p&gt;A lot of the current discussion focuses on China.&lt;/p&gt;

&lt;p&gt;That makes sense. Public reporting has described Anthropic’s strict access limits for users in China, workarounds involving VPNs and relay services, and anti-proxy detection systems used to disrupt unauthorized access. WIRED also reported that Anthropic does not offer commercial Claude access in China or to Chinese-owned subsidiaries outside the country.&lt;/p&gt;

&lt;p&gt;But if you only read this as a China story, you miss the part that will affect everyone.&lt;/p&gt;

&lt;p&gt;The real question is:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What signals can an AI development tool collect from your local environment, and what decisions can the vendor make with those signals?&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Today the signal might be region.&lt;/p&gt;

&lt;p&gt;Tomorrow it might be enterprise policy.&lt;/p&gt;

&lt;p&gt;Next month it might be “suspicious automation.”&lt;/p&gt;

&lt;p&gt;Later it might be whether your company, country, payment method, IDE, proxy, or usage pattern fits a risk model you cannot inspect.&lt;/p&gt;

&lt;p&gt;That is not science fiction. That is normal platform enforcement, arriving inside developer tools.&lt;/p&gt;

&lt;p&gt;&lt;a href="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Ffx5d3xj5je4ka8co4pae.png" class="article-body-image-wrapper"&gt;&lt;img src="https://media2.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.us-east-2.amazonaws.com%2Fuploads%2Farticles%2Ffx5d3xj5je4ka8co4pae.png" alt="Third-party reporting shows the geolocation issue is part of a larger access-control problem." width="800" height="431"&gt;&lt;/a&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  My Small Audit Checklist
&lt;/h2&gt;

&lt;p&gt;After this story, I made a checklist for every AI tool that touches my work machine.&lt;/p&gt;

&lt;p&gt;Not because I think every vendor is malicious. I do not.&lt;/p&gt;

&lt;p&gt;Because “I trust this company” is not an audit control. It is a mood.&lt;/p&gt;

&lt;p&gt;Here is the first version:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;AI Tool Audit

1. What local data can it read?
   - current working directory
   - file contents
   - shell history
   - git metadata
   - environment variables
   - system language / locale
   - OS and device metadata

2. What network calls does it make?
   - API endpoint
   - telemetry endpoint
   - update endpoint
   - crash reporting endpoint

3. What identity signals are linked?
   - account email
   - payment country
   - phone number
   - ID verification
   - organization domain
   - IP address / proxy signals

4. What actions can it perform?
   - edit files
   - run shell commands
   - install packages
   - commit code
   - call external tools

5. What happens if access is revoked?
   - can work continue?
   - are local files safe?
   - are logs available?
   - is there an export path?
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;This is not paranoia. This is the same way I think about customer support automations.&lt;/p&gt;

&lt;p&gt;If a tool can touch the customer, it needs controls.&lt;/p&gt;

&lt;p&gt;If a tool can touch code, it needs better controls.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Local Environment Is Customer Data Too
&lt;/h2&gt;

&lt;p&gt;Support engineers learn this lesson early: metadata is not “nothing.”&lt;/p&gt;

&lt;p&gt;A customer’s language, country, refund history, device type, order timing, and support channel can reveal more than the message itself.&lt;/p&gt;

&lt;p&gt;Developers sometimes treat machine metadata as less sensitive because it feels technical.&lt;/p&gt;

&lt;p&gt;It is not.&lt;/p&gt;

&lt;p&gt;Your system language may reveal location or working context. Your IP may reveal office routing. Your project path may reveal a client name. Your git remote may reveal private infrastructure. Your environment variables may reveal things nobody should paste into a model, ever.&lt;/p&gt;

&lt;p&gt;So when an AI coding tool runs locally, the question is not only “does it send my source code?”&lt;/p&gt;

&lt;p&gt;The question is:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;What else does it observe while helping me?&lt;/strong&gt;&lt;/p&gt;

&lt;h2&gt;
  
  
  What I Would Expect From Vendors
&lt;/h2&gt;

&lt;p&gt;I do not think AI companies should pretend regional compliance does not exist.&lt;/p&gt;

&lt;p&gt;Export controls, sanctions, enterprise agreements, abuse prevention, fraud detection, and model safety policies are real constraints. A vendor may have legal reasons to block access. I understand that.&lt;/p&gt;

&lt;p&gt;But I expect four things.&lt;/p&gt;

&lt;p&gt;First, say what signals are collected.&lt;/p&gt;

&lt;p&gt;Not in a 9,000-word privacy policy written for lawyers. In a developer-readable table.&lt;/p&gt;

&lt;p&gt;Second, say which decisions those signals influence.&lt;/p&gt;

&lt;p&gt;There is a difference between “we collect locale for UI language” and “we use locale as one signal in account enforcement.”&lt;/p&gt;

&lt;p&gt;Third, provide an audit mode.&lt;/p&gt;

&lt;p&gt;Let me run:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;ai-tool doctor --privacy
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;and see what endpoints, config files, local permissions, and telemetry settings are active.&lt;/p&gt;

&lt;p&gt;Fourth, make rollback visible.&lt;/p&gt;

&lt;p&gt;If a controversial enforcement mechanism changes, publish the version, the behavior, and the migration path. Do not make developers reverse-engineer trust from rumor.&lt;/p&gt;

&lt;h2&gt;
  
  
  What I Changed Personally
&lt;/h2&gt;

&lt;p&gt;I did not uninstall every AI coding tool.&lt;/p&gt;

&lt;p&gt;That would be dramatic and not very useful.&lt;/p&gt;

&lt;p&gt;I changed how I use them.&lt;/p&gt;

&lt;p&gt;For personal projects, I still use AI tools freely, but I keep secrets out of the working directory. For work-adjacent experiments, I use separate folders, separate tokens, and less ambient access. For anything involving customers, I do not let an AI agent roam.&lt;/p&gt;

&lt;p&gt;My current rule is simple:&lt;br&gt;
&lt;/p&gt;

&lt;div class="highlight js-code-highlight"&gt;
&lt;pre class="highlight plaintext"&gt;&lt;code&gt;If I would not paste it into a support ticket,
I do not let an AI tool inspect it by default.
&lt;/code&gt;&lt;/pre&gt;

&lt;/div&gt;



&lt;p&gt;That rule is imperfect. It is also easy to remember, which means I actually follow it.&lt;/p&gt;

&lt;p&gt;I have a similar rule for my restaurant database, oddly enough. If a field will later be used for filtering, ranking, or automation, I define it clearly at the start. Otherwise future-me will build queries on vibes and regret it in Lisbon over bad clams.&lt;/p&gt;

&lt;p&gt;Same lesson. Different table.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Account Ban Problem
&lt;/h2&gt;

&lt;p&gt;The SEO-friendly version of this article would probably be “What to Do If Your Claude Account Gets Banned.”&lt;/p&gt;

&lt;p&gt;The honest version is less exciting:&lt;/p&gt;

&lt;p&gt;Do not build a critical workflow around a single account you do not control.&lt;/p&gt;

&lt;p&gt;Have an export path. Keep local copies of prompts and configs. Know which projects depend on which AI vendor. Keep a second model good enough for emergencies. Do not route sensitive work through random relay services because they are cheaper.&lt;/p&gt;

&lt;p&gt;Especially do not send company code or customer data through unofficial proxy tools.&lt;/p&gt;

&lt;p&gt;That is not a clever workaround. That is a data incident waiting politely in line.&lt;/p&gt;

&lt;h2&gt;
  
  
  The Bigger Lesson
&lt;/h2&gt;

&lt;p&gt;The Claude Code controversy is not only about Anthropic.&lt;/p&gt;

&lt;p&gt;It is about the next phase of AI tooling.&lt;/p&gt;

&lt;p&gt;We are moving from chatbots we visit to agents we install. They sit closer to our files, terminals, repos, tickets, and internal systems. That makes them more useful.&lt;/p&gt;

&lt;p&gt;It also makes vague trust much more expensive.&lt;/p&gt;

&lt;p&gt;So my takeaway is not “Claude Code is safe” or “Claude Code is unsafe.”&lt;/p&gt;

&lt;p&gt;My takeaway is this:&lt;/p&gt;

&lt;p&gt;&lt;strong&gt;Any AI tool powerful enough to help with real work is powerful enough to deserve an audit.&lt;/strong&gt;&lt;/p&gt;

&lt;p&gt;Not a dramatic one. A practical one.&lt;/p&gt;

&lt;p&gt;What can it read? What can it send? What can it change? What can get my account blocked? What happens if it disappears tomorrow?&lt;/p&gt;

&lt;p&gt;If the answer is “I don’t know,” that is not a reason to panic.&lt;/p&gt;

&lt;p&gt;It is a reason to open the settings, read the docs, check the network calls, and write the first version of your own checklist.&lt;/p&gt;

&lt;p&gt;That is where trust starts.&lt;/p&gt;

&lt;p&gt;Not with a statement from a vendor.&lt;/p&gt;

&lt;p&gt;With a workflow you can inspect.&lt;/p&gt;

</description>
      <category>ai</category>
      <category>cybersecurity</category>
      <category>security</category>
      <category>discuss</category>
    </item>
  </channel>
</rss>
