Pulse

Political risk / Jul 8, 2026 / 4 min

Beijing Put Claude Code in Its National Backdoor Registry

On July 8, China's MIIT issued an NVDB alert classifying Claude Code versions 2.1.91–2.1.196 as a serious backdoor risk — elevating Alibaba's pending July 10 workplace ban into national cyber policy the same day Commerce cleared GPT-5.6 Sol for a broad public launch Thursday.

Thesis Beijing just turned a corporate distillation feud into sovereign cyber doctrine — proof the AI access war now runs through national vulnerability databases, not product launches.

On July 8, China's Ministry of Industry and Information Technology issued a national vulnerability alert calling Anthropic's Claude Code a serious backdoor risk — the same day Axios reported Commerce cleared GPT-5.6 Sol for a broad public launch this Thursday. Beijing just elevated a corporate workplace ban into sovereign cyber policy.

What's new:

  • MIIT's Network Security Threat and Vulnerability Information Sharing Platform (NVDB) warned Wednesday that Claude Code versions 2.1.91 through 2.1.196 carry a "serious" backdoor risk.
  • The NVDB alleged built-in monitoring could transmit users' location data and identity-related identifiers to remote servers without authorization.
  • Organizations were told to uninstall affected builds or upgrade to versions that removed the code, and to tighten outbound traffic controls on development terminals in core business networks.
  • China Daily and Global Times reported the alert; neither outlet quoted Anthropic.

Why July 8 matters:

  • Reuters reported July 3 that Alibaba will bar Claude Code from workplace environments starting July 10 — citing the same hidden fingerprinting logic.
  • The NVDB alert turns a single-company HR decision into a nationwide compliance signal for every developer and enterprise running the tool in China.
  • Axios reported the same day that Commerce's Center for AI Standards and Innovation finished testing GPT-5.6 and cleared Sol, Terra, and Luna for public release Thursday.
  • Washington is unlocking frontier models. Beijing is blacklisting the coding agent that fingerprinted Chinese proxies.

What triggered the alert:

  • A June 30 Reddit post by user LegitMichel777 reverse-engineered Claude Code and found obfuscated detection logic active since version 2.1.91 shipped April 2.
  • The Decoder reported the client checked Asia/Shanghai and Asia/Urumqi timezones and scanned proxy URLs against Chinese domains — then encoded results via steganography in the "Today's date is" system prompt.
  • Claude Code engineer Thariq Shihipar replied on X June 30: "this is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation."
  • Shihipar said a merged pull request would remove the code in the July 1 release. The NVDB warning still covers versions through 2.1.196.

The distillation backdrop:

  • On June 10, Anthropic told Senate Banking Committee leaders Tim Scott and Elizabeth Warren that operators affiliated with Alibaba's Qwen lab ran 28.8 million fraudulent Claude exchanges through roughly 25,000 fake accounts between April 22 and June 5.
  • Anthropic's letter called it "the largest known distillation attack on Anthropic to date." Alibaba has not publicly confirmed the July 10 ban or issued a detailed rebuttal.
  • Beijing's NVDB does not cite distillation. It frames the issue as unauthorized data exfiltration — the same language Washington uses when restricting Mythos and GPT-5.6 over offensive cyber risk.

What Beijing wants:

  • Immediate inspection of all development terminals running affected Claude Code builds.
  • Uninstall or upgrade before the Alibaba ban takes effect July 10.
  • Stricter access controls and traffic monitoring on AI coding tools connected to core business networks.
  • The Global Times linked the NVDB move to Alibaba's reported workplace ban — signaling coordinated public-private enforcement.

Convina's view: Anthropic spent June asking Congress to punish Alibaba for industrial-scale distillation, then got caught hiding client-side surveillance in a tool with shell access. Beijing's NVDB alert is not a product review — it is sovereign cyber doctrine applied to an American coding agent on the same day Washington greenlit OpenAI's frontier model. Both capitals are now weaponizing trust through national registries: Commerce gates who gets GPT-5.6; MIIT blacklists who keeps Claude Code. The distillation war's dirty secret is that neither side can claim clean hands — and every CISO outside China should ask whether their AI vendor's anti-abuse telemetry is a security control or the next government alert waiting to happen.

Research Signals

https://www.chinadaily.com.cn/a/202607/08/WS6a4df051a310986e2b464298.html https://www.globaltimes.cn/page/202607/1365448.shtml https://www.axios.com/2026/07/08/openai-gpt-trump-ban-lifted https://economictimes.indiatimes.com/tech/artificial-intelligence/alibaba-to-ban-claude-code-in-workplace-over-alleged-backdoor-risks-source-says/articleshow/132154595.cms https://the-decoder.com/hidden-code-in-claude-code-secretly-flagged-chinese-users/ https://www.cnbc.com/2026/06/24/anthropic-alibaba-distillation-campaign.html