China’s cybersecurity watchdog has identified a security risk in Anthropic’s Claude Code, citing a backdoor vulnerability that could transmit user data, including location and identity details, to remote servers without consent. The National Vulnerability DataBase (NVDB) issued the warning, urging organizations to act immediately to address the issue. The affected versions, ranging from 2.1.91 to 2.1.196, contain a monitoring mechanism capable of sending sensitive information externally. The NVDB recommends uninstalling these versions or upgrading to the latest build, which reportedly has removed the backdoor code. The alert comes amid tensions between Anthropic and Alibaba, with accusations of security risks and data extraction campaigns. Alibaba has banned its staff from using Claude Code, directing them to use its own coding assistant, Qoder. Anthropic has accused Alibaba of conducting a large-scale distillation attack, involving millions of exchanges through fraudulent accounts. Despite Anthropic’s restrictions on access from China, Claude Code remains popular among Chinese researchers, often accessed through overseas proxies. The situation remains unresolved, with no new statements from either Anthropic or Alibaba following NVDB’s warning.
previous post

