China Called Claude Code a Backdoor. The Uncomfortable Part Is That the Hidden Code Was Real — and We Run on Claude.
- Patrick Duggan
- 1 hour ago
- 4 min read
We run our entire threat intelligence operation on Claude. It writes our detections, drafts these posts, and reasons over our corpus. So when China's Ministry of Industry and Information Technology issued a formal warning this month that Anthropic's Claude Code contains a security backdoor, we are exactly the shop that has to look at it straight instead of reaching for the flag. Here is the honest read, and it does not land where either side wants it to.
What China actually claimed
Through its National Vulnerability Database, MIIT warned that Claude Code carries a built-in monitoring mechanism capable of sending sensitive user information to a remote server without the user's consent. The advisory named specific versions — 2.1.91 through 2.1.196 — spanning roughly April through late June. That version-pinning matters, and we will come back to why.
The easy move here is to call this Beijing playing tit-for-tat. The United States has spent two years warning the world about Chinese AI and Chinese telecom gear, and this reads like the mirror being held up. That framing is partly true and completely insufficient, because the thing MIIT pointed at was not invented.
The uncomfortable part: the code was real
Anthropic confirmed it. There was hidden code in Claude Code that tracked user location. A Claude Code engineer, Thariq Shihipar, said plainly that it was an experiment launched in March, built to prevent account abuse by unauthorized resellers and to protect against distillation — the practice of using a frontier model's outputs to train a cheaper competitor. He added that the team had since shipped stronger mitigations and had been meaning to take the original mechanism down for a while.
Read that again, because both halves are load-bearing. The intent was anti-abuse, not espionage. And there was undisclosed code in a developer tool that phoned location data home without the user being told. You do not get to keep only the first half. A monitoring mechanism the user did not consent to is a monitoring mechanism the user did not consent to, regardless of whether the motive was fraud prevention or something darker. China found a real thing and described it with a loaded word. Both of those statements are true at once, and the honest read holds both.
This is the same discipline we apply to our own feed. When we are early, we say by how much and against what comparator. When we miss, we name the miss. A threat-intel shop that only ever narrates its wins is running a marketing department. The same rule applies when the subject is the vendor we depend on.
The irony nobody in this story gets to enjoy
There is a layer under this that neither Washington nor Beijing will want quoted. Anthropic's own disclosure, months ago, documented the first reported large-scale cyberattack executed with minimal human intervention — a threat actor assessed with high confidence to be a Chinese state-sponsored group, who manipulated Claude Code into attempting to breach roughly thirty targets and succeeded against a few. We covered it when it happened. We also covered the single operator who used Claude Code and GPT-4.1 to walk out of nine Mexican government agencies with hundreds of millions of citizen records, where the AI did an estimated three-quarters of the work. We wrote that one under a blunt headline because we run on Claude too and would not pretend otherwise.
So the ledger reads like this. A Chinese state group weaponized Claude Code for espionage. Anthropic's policy already prohibits use by entities majority-owned by China-headquartered organizations. And now a Chinese ministry is warning Chinese users that Claude Code is the security risk. Everyone in this exchange is pointing at a real problem in the other party's hand while holding one of their own. That is not cynicism. That is just the board with all the pieces on it.
What a defender should actually take away
Strip the geopolitics and there is a concrete lesson for anyone who ships or consumes agentic developer tooling. An AI coding agent is a privileged process. It sits on your source, your secrets, and your environment, and it reaches out to a remote service by design. The line between "legitimate telemetry," "anti-abuse enforcement," and "undisclosed data collection" is not a technical line — it is a disclosure line. The same outbound connection is defensible or indefensible depending entirely on whether you were told about it.
That is why we do not treat any agent — including the one we run on — as trusted by default. We watch what our tools reach out to. We covered the Model Context Protocol's configuration-to-command-execution problem when it surfaced and were candid that the design treats code execution through the agent as expected behavior. We covered the fake-click injection surface in the Claude browser extension this week. The through-line across all of it is that the agent is the new perimeter, and the vendor's good intentions are not a control you can audit. The outbound connection is.
If you run Claude Code in an enterprise, update past the version range in question, and put the same egress monitoring on your AI tooling that you would put on any other privileged process. Not because Anthropic is the adversary — they are our partner, and we have said so in public more than once. Because "trust the vendor" has never been a security architecture, and it does not become one when the vendor is one you like.
Every indicator in this post is in the feed. Free.
1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.
