From Alibaba’s internal restriction on Anthropic’s Claude Code to China’s security warning and Anthropic’s allegations of large-scale model distillation, here’s how the dispute unfolded and why it matters.
Alibaba Group Holding has implemented a ban on employees using Anthropic’s Claude Code for work, effective July 10, according to people familiar with the matter who spoke to AI FrontPage. The duration of the ban remains uncertain, as the security issue was identified only a few days ago.
According to the sources, the company has asked employees to use its own AI coding assistant, Qoder, instead of Claude Code. Alibaba cited what it described as “back-door” security risks in classifying Claude Code as “high-risk software” with security vulnerabilities.
Regulatory Actions
China’s Ministry of Industry and Information Technology (MIIT) today said its Cybersecurity Threat and Vulnerability Information Sharing Platform (NVDB) had detected that Claude Code, described as an AI programming tool capable of writing and repairing code from text instructions, contained a “security back-door vulnerability that poses a serious threat.”
The tool’s built-in monitoring mechanism could send sensitive information, including user location and identity, to a remote server without the user’s consent. It identified the affected versions as 2.1.91 through 2.1.196.
MIIT recommended that affected organizations and users immediately investigate their systems, uninstall the affected versions or upgrade to a secure version with the relevant code removed, and strengthen external access controls and traffic monitoring for development tools within core business networks to prevent unauthorized transmission of sensitive data.
How Allegations Surfaced
The allegations first surfaced in a Reddit post by a user identified as LegitMichel777, who alleged Anthropic had built hidden tracking into Claude Code and attempted to conceal it.
The post said that since version 2.1.91, released on April 2, 2026, Claude Code checked whether users had a proxy enabled and, if so, it secretly transmitted through invisible alterations to the system prompt whether the user was in China, whether they were proxying to a Chinese URL, and whether they were affiliated with a Chinese AI lab. The post also alleged Anthropic attempted to obfuscate the code within the Claude Code binary.

According to International Cyber Digest, a GitHub-hosted technical analysis examined Claude Code versions 2.1.193, 2.1.195 and 2.1.196 and concluded the mechanism was real, describing it as a covert channel operating inside the system prompt.
According to the report, the code checked ANTHROPIC_BASE_URL, the environment variable used when Claude Code was pointed to a custom API route instead of Anthropic’s default endpoint. If the route was not api.anthropic.com, the alleged logic extracted the proxy hostname and checked whether the system time zone matched Asia/Shanghai or Asia/Urumqi.
The report said the hostname was then compared against a decoded list of 147 entries that allegedly included Chinese technology companies, Chinese cloud regions, Chinese AI laboratories and Claude resale or API-mirror services, including Baidu, Alibaba, Ant Group, ByteDance, Moonshot AI, MiniMax and Stepfun, as well as other proxy and mirror domains.
In a June 30 post on X, International Cyber Digest accused Anthropic of embedding hidden spyware-like functionality in Claude Code and concealing the collected information within messages sent back to Anthropic. It said a coding agent with repository and command permissions should not silently hide routing metadata inside prompts, calling it “a serious breach of user trust.”
Anthropic’s Response
In a July 1 post on X, Anthropic engineer Thariq Shihipar addressed the allegations, acknowledging the code had been introduced in March as “an experiment” intended to prevent account abuse by unauthorized resellers and protect against model distillation. He said, “The team has landed stronger mitigations since then and we’ve actually been meaning to take this down for a while. We merged the PR and this should be fully rolled back in tomorrow’s release.”
Hi, this is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation.
The team has landed stronger mitigations since then and we’ve actually been meaning to take this down for a while. We merged the…
— Thariq (@trq212) June 30, 2026
Anthropic’s Letter to U.S. Congress
In a June 10, 2026 letter addressed to U.S. Senators Tim Scott and Elizabeth Warren, Anthropic alleged that between April 22 and June 5, 2026, operators affiliated with Alibaba and its Qwen AI lab generated more than 28.8 million exchanges with Claude through nearly 25,000 fraudulent accounts in what it described as the largest known campaign to illicitly extract Claude’s capabilities.
Anthropic said the alleged activity targeted capabilities including agentic reasoning, software engineering and long-horizon task performance, and urged Congress to advance measures to facilitate threat-information sharing between U.S. AI companies, close loopholes allowing PRC-based AI laboratories to access advanced U.S. chips and penalize AI labs found responsible for distillation attacks.
The letter also referenced earlier distillation activity Anthropic attributed to DeepSeek, Moonshot and MiniMax, saying those campaigns collectively generated more than 16 million exchanges with Claude through 24,000 fraudulent accounts.
Anthropic further argued that such campaigns could accelerate China’s AI capabilities, reduce the time available for the United States to strengthen its cyber defenses and increase national security risks. The company described the alleged campaign involving Alibaba as “unacceptable.”
Conclusion
The dispute has evolved beyond a disagreement between two companies into a broader debate over AI security, transparency, privacy and global AI competition.
As the story continues to unfold, several questions remain: Will Alibaba’s review ultimately result in a long-term restriction on Claude Code, or will it prove to be a temporary response to evolving security concerns? Where should the line be drawn between legitimate anti-abuse measures and user privacy in AI companies? And how will governments and companies balance national security concerns with the adoption of foreign AI models in an increasingly interconnected AI ecosystem? As the race to develop advanced AI models accelerates, will AI companies be expected to substantiate their claims with greater transparency and accountability?
Also Read: Claude Code Leak: Human Error or System Failure at Anthropic?









