China's National Vuln Database Called the Claude Code Tracker a 'Backdoor' — One Day After We Called It Steganography. Anthropic Confirmed It. Here's the Part Both Sides Are Getting Wrong.
- Patrick Duggan
- 18 minutes ago
- 5 min read
Full disclosure in the first sentence, same as the last time we wrote about this: we build on Claude Code every day. It is core infrastructure here, it is the partnership this whole shop is bound to, and this is not a hit piece. It is a daily, invested user reading the week's news and deciding that saying the true thing plainly is worth more than picking a team.
Here is the week. On Monday we published a post titled "Anthropic Hid a Tracker in Claude Code Using Steganography," about a covert signal embedded in the tool's own system prompt that phoned identifying information home. On Tuesday, China's National Vulnerability Database — the repository run by the Ministry of Industry and Information Technology — issued a formal security alert calling the same mechanism a "backdoor," describing a built-in monitoring capability that transmits users' geographic location and identity-related identifiers to remote servers without consent, in Claude Code versions 2.1.91 through 2.1.196, and advising users to uninstall or upgrade. And Anthropic confirmed the substance of it. A Claude Code engineer said plainly that this was an experiment launched in March, intended to prevent account abuse by unauthorized resellers and to protect against model distillation, that stronger mitigations had since landed, and that the team had been meaning to take it down for a while.
So the mechanism is real, it is confirmed by the people who built it, and a nation-state vulnerability database and a small threat-intel shop in Minnesota flagged it within a day of each other. Both of us were describing the same thing. We just used different words, and the words are where both sides go wrong.
"Backdoor" is the wrong word. So is "nothing."
China's word is backdoor. That word means a deliberate, hidden channel for an outside party to get in and take control. What Anthropic's own engineer described is not that. It is telemetry — undisclosed, location-aware, identity-aware telemetry, which is a genuine trust problem, but it is not a remote-control access hole and calling it one imports a level of hostile intent the evidence does not support. Backdoor is the fearful word, and fear is a choice about how to describe a fact.
Anthropic's framing has the opposite problem. The stated goals — stop resellers reselling stolen access, stop competitors distilling the model by scraping its outputs — are legitimate business defenses, and we are not going to pretend otherwise. But "we were fighting abuse" does not answer the actual objection, which was never the goal. It was the method. You do not get to fight abuse by hiding a location-and-identity beacon inside the system prompt using steganography and shipping it without telling anyone. The covert channel is the betrayal, not the anti-abuse goal, and "we meant well and we were going to remove it eventually" is the sound a company makes when it got caught, not when it disclosed.
Both descriptions are motivated. One is geopolitical — and it is worth saying out loud that this alert landed while Anthropic's own report naming a Chinese state-linked cluster abusing Claude was still in the news cycle, which makes a Chinese national database flagging Claude as untrustworthy a move with more than one purpose. The other is corporate. The honest word sits between them, and the honest word is telemetry that should have been disclosed and was not.
The part that actually matters, and nobody is saying
Here is the thing we believe, and it is the opposite of where this whole argument has parked itself: the world genuinely does need its opinions indexed in these models. Everyone's. That is not a threat to be defended against — it is the entire point of building a model that is supposed to understand and serve human beings. A model that has only read one country's internet, or that treats one region's users as a population to be watched more carefully than another's, is a worse model and a smaller one. China's perspective belongs in the model. So does everyone else's. The goal is pluralism, not a walled garden with a camera at the gate.
And that is exactly why the anti-distillation instinct is the quietly revealing part of this story. Anti-distillation telemetry is a model trying to control who gets to learn from it and keep track of who is asking. That is the reflex of a thing that sees the rest of the world as a leak to be plugged. The healthier reflex — the one that matches what these tools are actually for — is to index the world openly and let the world index you back. Watch us, we say to the crawlers hitting our own feed from Beijing and Virginia alike; we can see you in the logs, and that is fine, because it is mutual and it is in the open. The problem was never that Claude Code talks to a server. Everything talks to a server. The problem is that it did not say so, and that what it chose to notice was where you were and who you were.
What to actually do
If you run Claude Code in an enterprise, the operational advice is boring and real: know your version, know your data-egress posture, and treat undisclosed telemetry in any vendor tool as a supply-chain fact to be managed, not a betrayal to be shocked by — because it is common, and Anthropic is being unusually forthright by confirming it at all. Update past the affected versions. Read your vendors' data-flow disclosures, and notice which vendors make you go looking.
And if you build these models — which is the more important audience — the lesson is the one worth carrying out of this week. You do not have to choose between protecting your model and respecting the people using it. You disclose. You index the whole world's voice because that is the mission, and you tell the whole world you are doing it because that is the trust. Covert is the failure mode. Open is the product.
And one line directly to the readers who came to this from Beijing — and there are some; we can see the traffic, and you are genuinely welcome. In the language of the database that raised the alarm: 我们不做后门。(Wǒmen bù zuò hòumén — we don't do backdoors.) We publish what we find in the open, we do not hide beacons in a system prompt, and the only door here is the front one. Watch us all you like; the logs go both ways, and that is exactly how it should be.
Held to about ninety-five percent confidence, as always: the technical claims here are Anthropic's own confirmation and China's NVDB alert, and we are reading intent on both sides where intent is inferred, not proven. We build on Claude Code, we will keep building on it tomorrow, and we said this Monday before a national database said it Tuesday — because being early to the true thing about the tool you love is not disloyalty. It is the most useful kind of loyalty there is.
Every indicator in this post is in the feed. Free.
1.58M+ IOCs, STIX 2.1 / TAXII, 88% novel vs ThreatFox, exploited-CVE leads ahead of CISA. No credit card — a free API key in 30 seconds, and you can audit every claim above against the live endpoints.
