1 / 1779

China alleges that Claude Code contains backdoors, calls mechanism 'a serious threat' — Gov't claims Claude sends sensitive information to remote servers without consent

TL;DR

China's National Vulnerability Database warned against Claude Code releases from April through June 2026, calling them security backdoors. The agency claims a built-in monitoring mechanism can send sensitive data such as location and identity to remote servers without consent. Anthropic framed the mechanism as an anti-abuse experiment against resellers and model distillation; an engineer reportedly said it would be rolled back.

Nauti's Take

The allegation comes from a geopolitically charged environment, so it should not be read as a neutral security finding. Still, the core issue is uncomfortable for Anthropic: a local developer tool should not need hidden country detection and covert telemetry to fight abuse.

If a vendor wants trust, this kind of mechanism has to be documented, controllable, and auditable. Otherwise safety starts to sound like another word for control.

Briefingshow

The case shows how sensitive coding agents have become: they run locally, inspect projects, environments, and sometimes secrets. Even legitimate anti-abuse telemetry becomes toxic when it is hidden or aimed at specific regions. For companies, the key question is no longer only which model codes well, but what the agent sends, when, and where.

Sources