13 / 1791

China alleges that Claude Code contains backdoors, calls mechanism 'a serious threat' — Gov't claims Claude sends sensitive information to remote servers without consent

TL;DR

China’s National Vulnerability Database is warning about Claude Code versions released from April to June 2026. It labels the issue as „security backdoor vulnerabilities“ and tells users to uninstall the app or update to the latest version. According to the report, affected versions could send location and identity data to remote servers without user consent. The disputed mechanism appears to have been hidden monitoring aimed at detecting Chinese users.

Nauti's Take

Anthropic has a real problem: grey-market access, unauthorized resellers and potential model distillation are not imaginary. Still, hidden region or user monitoring inside a coding tool is a poor trade-off because these tools see unusually rich context.

China is using the case politically, but the uncomfortable core remains: security logic must be visible, bounded and clearly explained.

Briefingshow

This matters because anti-abuse telemetry in AI developer tools can quickly become a trust problem. Coding agents sit inside development environments and may see projects, paths, domains and sensitive context. If monitoring is hidden, calling it a security measure is not enough.

Sources