Action now: run claude --version. If you are on v2.1.91–2.1.196 and route requests through a non-official ANTHROPIC_BASE_URL, upgrade to 2.1.197+ or uninstall today. On July 8, 2026, China’s MIIT NVDB (National Vulnerability Database) issued a formal risk alert calling Anthropic’s Claude Code a security backdoor risk of severe harm—built-in monitoring that could transmit region and identity fingerprint data without user consent. This guide covers the full timeline, how the steganography fingerprint worked, who is actually affected, the Alibaba ban taking effect July 10, and a practical disposal checklist. For technical depth see our Claude Code steganography deep dive.
01

TL;DR and What Is Claude Code?

What is Claude Code? Claude Code is Anthropic’s terminal-based AI coding agent (CLI). Unlike the Claude web chat, it runs locally with file-system access, shell execution, and configurable API routing via the ANTHROPIC_BASE_URL environment variable—making it a high-privilege developer tool, not a passive chat widget.

TL;DR: ① MIIT NVDB (July 8) labeled it a severe backdoor risk; ② affected builds 2.1.91–2.1.196 (Apr 2–Jun 29, 2026); ③ triggers only on non-official ANTHROPIC_BASE_URL; ④ Anthropic admitted and rolled back July 1; ⑤ fix in v2.1.197; ⑥ Alibaba company-wide ban from July 10.

ItemDetail
Risk typeUndisclosed built-in monitoring / steganography fingerprint
Reported exfiltration riskRegion markers, identity fingerprint signals via covert prompt channel
Affected versionsv2.1.91 – v2.1.196
Release windowApril 2 – June 29, 2026 (~20 releases, zero changelog disclosure)
Official guidanceUninstall or upgrade; audit outbound traffic on dev machines
Enterprise responseAlibaba and others restricting or banning Claude Code

The story arc: Anthropic quietly embedded geo/proxy fingerprinting → developers reverse-engineered and published → Anthropic apologized and removed it → Alibaba banned it → MIIT elevated it to a national backdoor alert. Keywords driving search intent: backdoor, steganography, fingerprint, is Claude Code safe, ANTHROPIC_BASE_URL, Alibaba ban.

02

What Happened: Full Timeline

Below is the verified sequence from public disclosures, reverse-engineering reports, and regulatory notices.

01

February 2026: Anthropic publicly stated it was investing in anti–model-distillation defenses (classifiers, behavioral fingerprints, intelligence sharing).

02

March 2026: Claude Code internally deployed a covert detection routine—no public announcement.

03

2026-04-02: v2.1.91 shipped with the hidden logic; ~20 subsequent releases through June never mentioned it in changelogs.

04

2026-06-29: v2.1.196 released—the last affected build.

05

2026-06-30: Reddit user LegitMichel777 exposed steganography; Thereallo published technical analysis; Adnane Khan’s GitHub report confirmed v2.1.193/195/196.

06

2026-07-01: Engineer Thariq Shihipar admitted on X it was a March “experiment” against unauthorized resellers and distillation; promised rollback next day.

07

2026-07-02: v2.1.197 (some outlets cite 2.1.198) removed the code; changelog still did not explicitly describe the removal.

08

2026-07-03/04: Reuters and TechCrunch report Alibaba will ban Claude Code company-wide from July 10, pivoting to internal platform Qoder.

09

2026-07-08: MIIT NVDB publishes formal risk bulletin—security backdoor risk, severe harm.

10

2026-07-10: Alibaba internal ban takes effect.

Do not claim “all Claude Code users were spied on.” The mechanism required a custom ANTHROPIC_BASE_URL—a narrower but still serious undisclosed fingerprint channel.

03

How the Steganography Fingerprint Worked

Researchers call this steganography, not ordinary telemetry: it did not use a separate analytics endpoint. Instead it modified the system prompt sent to the model on every request.

Step 1 — Environment reconnaissance. When triggered, the client checked: (a) system timezone Asia/Shanghai or Asia/Urumqi; (b) whether ANTHROPIC_BASE_URL hostname matched a built-in blocklist. Reverse engineers (LegitMichel777, Thereallo, Adnane Khan, Vincent Schmalbach) recovered 147 entries—Chinese tech giants, AI lab keywords (DeepSeek, Moonshot, Zhipu, MiniMax, Baichuan, StepFun, 01.AI), and known API resellers—stored as XOR(key 91) + Base64 obfuscation.

Step 2 — Steganographic encoding. On China timezone match, date format flipped from 2026-06-30 to 2026/06/30. The apostrophe in the Today's date is line swapped among three near-identical Unicode variants, encoding three boolean flags: timezone hit, domain hit, AI-lab keyword hit.

Step 3 — Covert channel. Roughly 3 bits of environment fingerprint rode inside an innocuous English sentence on every API call—what Adnane Khan termed a covert information channel embedded in system prompts.

MilestoneVersionDate
First affected buildv2.1.912026-04-02
Last affected buildv2.1.1962026-06-29
Fix releasev2.1.197 (some cite 2.1.198)2026-07-01/02
bash
claude --version
echo $ANTHROPIC_BASE_URL
npm install -g @anthropic-ai/claude-code@latest
claude update

Hard data point: independent reversers confirmed identical fingerprint logic across v2.1.193, v2.1.195, and v2.1.196—nearly 3 months of silent deployment affecting an estimated 20 semver releases.

04

Who Is Affected, Anthropic’s Response, and the Alibaba Ban

Who is affected? Only developers routing Claude Code through a non-official API endpoint. Direct users of api.anthropic.com did not trigger this path.

ScenarioFingerprint triggered?Primary risk
Official api.anthropic.comNoStandard telemetry per privacy policy
ANTHROPIC_BASE_URL → third-party gatewayYesCovert steganography + account ban risk
China timezone + proxy endpointYes (stacked signals)Geo + competitor-domain fingerprint
Regulated enterprise dev fleetDepends on configUndisclosed outbound signaling on privileged agents

Anthropic / Thariq Shihipar (July 1, X): “This is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation... this should be fully rolled back in tomorrow's release.” Anthropic framed it as anti-abuse engineering—not a malicious backdoor—while admitting zero changelog transparency.

Alibaba ban (effective July 10, 2026): per SCMP, Ars Technica, and Reuters, Alibaba classified Claude Code as high-risk software, banning it alongside Anthropic model products (Sonnet, Opus, Fable) and mandating migration to internal platform Qoder. Context: Anthropic had previously told the US Senate Banking Committee that Alibaba’s Qwen team used ~25,000 fraudulent accounts generating 28.8 million interactions to distill Claude capabilities.

SourceKey framingEmphasis
MIIT / NVDBSecurity backdoor risk, severe harmCompliance, unauthorized data transmission
CNBC / ReutersBuilt-in monitoring mechanismRegulatory alert + corporate fallout
The RegisterCovert code / secret steganographyUndisclosed updates, accountability
Ars TechnicaSpyware-like trackingTrust crisis, policy analysis
AnthropicExperiment / anti-distillationLegitimate defense goal, poor disclosure
05

What Developers Should Do Now: Checklist

Individual developer checklist:

01

Check version: run claude --version; flag anything in 2.1.91–2.1.196.

02

Inspect proxy: run echo $ANTHROPIC_BASE_URL; document any non-official gateway.

03

Upgrade immediately: npm install -g @anthropic-ai/claude-code@latest or claude update; verify ≥ 2.1.197.

04

Clean uninstall (optional): remove ~/.claude, ~/.claude.json, ~/.cache/claude-code, ~/.config/claude-code on macOS/Linux.

05

Evaluate alternatives: compare Cursor, Copilot, Gemini CLI, and regional tools via our AI coding assistant guide.

06

Audit outbound traffic: confirm no lingering calls to unauthorized AI endpoints from CI runners or laptops.

07

Enterprise IT: inventory every workstation and CI node with Claude Code; enforce upgrade or removal per NVDB guidance.

A

147-blocklist entries: XOR(91)+Base64 obfuscation confirmed in v2.1.193–196 by Thereallo and Adnane Khan.

B

28.8M interaction claim: Anthropic’s Senate letter alleged ~25k fraudulent Qwen-team accounts used for distillation.

C

July 10 Alibaba ban: update software allowlists and procurement policy now—second-wave enterprise impact.

Disclaimer: Based on MIIT NVDB bulletins and public reporting; not legal or penetration-test advice. See Help Center for cloud Mac workflows.

Running affected Claude Code on a personal Mac with opaque fingerprint logic is hard to audit; relying on third-party Claude resellers keeps you exposed to geo/competitor fingerprinting; spinning macOS agents in unlicensed VMs breaks Apple EULA and blocks proper code signing. For iOS CI/CD, full root access, and 24/7 AI agent production, KVMNODE dedicated Mac Mini M4 cloud rental is the cleaner path: 100% bare-metal hardware, open sudo, elastic daily/weekly/monthly billing, isolated environments where outbound traffic is controllable. See pricing or order now.