China's National Vulnerability Database (NVDB), operated by the Ministry of Industry and Information Technology, issued a warning on Wednesday about a serious security backdoor in Anthropic's AI coding tool, Claude Code. The tool, developed by US-based Anthropic, is an AI agent that can generate, debug, and review code based on user prompts.
Monitoring Mechanism Transmits Sensitive Data
In a statement posted on its WeChat account, the NVDB said Claude Code contains a built-in monitoring mechanism that can transmit sensitive information—including users' geographic location and identity-related identifiers—to remote servers without user consent. The warning applies to Claude Code versions 2.1.91 through 2.1.196, according to the state-operated cybersecurity platform.
Recommended Actions
The NVDB advised organizations and users in China to immediately review affected systems and either uninstall the impacted versions or upgrade to the latest secure release, where the alleged backdoor code has been removed. It also urged organizations to tighten controls on external network access for development tools and strengthen traffic monitoring on core business networks to prevent unauthorized transfer of sensitive data.
Alibaba Bans Claude Code
China's Alibaba had banned employees from using Claude Code at work after the tool drew scrutiny for features enabling it to identify China-linked users, Reuters reported last week. Anthropic did not reply to a Reuters request for comment.



