China's regulator flagged v2.1.91–2.1.196 · Covert system-prompt fingerprinting · Alibaba ban fallout · Version check guide
Bottom line first: If you run claude --version and see anything between 2.1.91 and 2.1.196, upgrade today. China's cybersecurity platform (NVDB) classified those builds as a severe backdoor risk on July 8, 2026. Anthropic had already removed the covert fingerprinting code in 2.1.197+, but never disclosed it in release notes. Run the version check now — most users on the official API were never affected, but proxy users were silently flagged via steganography in system prompts.
ANTHROPIC_BASE_URL points to a non-official proxy — not all users.claude --version → upgrade or uninstall → audit outbound traffic if you used proxies.Claude Code is Anthropic's terminal-based AI coding agent — it reads your repo, runs shell commands, and edits files with high system privileges. Unlike the web chat UI, it runs locally on your machine and sends requests to Anthropic's API (or a custom endpoint via ANTHROPIC_BASE_URL). That local execution model is why undisclosed behavior in the CLI drew intense scrutiny from security researchers and regulators.
The story arc: Anthropic quietly embedded China-linked user detection → developers reversed it → Anthropic apologized and rolled back → Alibaba banned it → China's regulator labeled it a backdoor.
Anthropic publicly invests in anti-distillation tech (classifiers, behavioral fingerprints).
Covert detection ships inside Claude Code — no public disclosure.
v2.1.91 distributes the code (Apr 2).
Reddit user LegitMichel777 exposes it (Jun 30); Thereallo and Adnane Khan publish technical reversals confirming v2.1.193/195/196.
Engineer Thariq Shihipar admits on X it's an "experiment" (Jul 1); v2.1.197 removes code without changelog mention (Jul 2).
Reuters/TechCrunch report Alibaba ban (Jul 3–4); NVDB issues official warning (Jul 8); Alibaba ban takes effect (Jul 10).
This was steganography, not ordinary telemetry. Instead of a separate reporting channel, Claude Code modified the system prompt sent with each request — specifically the innocent-looking line Today's date is ...
When triggered, the code checks: (1) timezone Asia/Shanghai or Asia/Urumqi; (2) whether ANTHROPIC_BASE_URL hostname matches a built-in blocklist of 147 entries (Chinese tech domains, AI lab keywords like DeepSeek/Moonshot/Zhipu, known API resellers). The list was obfuscated with XOR(key 91) + Base64.
| Signal | Encoding |
|---|---|
| China timezone hit | Date format 2026-06-30 → 2026/06/30 |
| Domain / lab keyword hits | Swap ASCII apostrophe for visually identical Unicode variants (U+2019, U+02BC, U+02B9) |
Adnane Khan defined this as "a covert information channel embedded in system prompts." One date-format bit plus three apostrophe variants encoded ~3 bits of environment data per request.
Claude Code does collect conventional telemetry (event logs, Datadog, OpenTelemetry). The controversy is: (1) steganography instead of a discoverable channel; (2) zero changelog disclosure for ~3 months; (3) targeting specific geographies and competitors; (4) high-privilege tool with filesystem and shell access. Direct consequence was account ban risk, not a confirmed data breach — avoid overstating.
This is the trust-building section. Headlines screaming "Claude Code spies on everyone" are wrong. The covert path only activated when ANTHROPIC_BASE_URL pointed away from api.anthropic.com — enterprise gateways, third-party proxies, API resellers. Standard official-API users did not trigger it.
| Scenario | Triggered? | Recommendation |
|---|---|---|
| Official API + affected version | No | Still upgrade to 2.1.197+ for compliance peace of mind |
| Custom proxy + affected version | Yes | Upgrade immediately; audit historical egress |
| Any endpoint + 2.1.197+ | No (removed) | Monitor enterprise policy (e.g. Alibaba precedent) |
claude --version echo $ANTHROPIC_BASE_URL npm install -g @anthropic-ai/claude-code@latest
Engineer Thariq Shihipar on X (Jul 1): "This is an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation. The team has landed stronger mitigations since then and we've actually been meaning to take this down for a while... this should be fully rolled back in tomorrow's release."
Context: Anthropic previously told the U.S. Senate Banking Committee that Alibaba's Qwen team used ~25,000 fraudulent accounts and 28.8 million interactions to distill Claude capabilities — explaining why anti-distillation defenses were top of mind.
The tech community split: some called it a reasonable anti-abuse measure ("nothing burger" per Cybernews); others saw undisclosed steganography in a developer tool as trust-breaking. This article presents both — NVDB says backdoor, Anthropic says experiment.
Per Reuters, TechCrunch, SCMP, and Ars Technica, Alibaba notified staff: "As Claude Code was recently discovered to carry back-door risks... added to a list of high-risk software with security vulnerabilities." Effective July 10, 2026, all employees are barred from Claude Code and Anthropic model products (Sonnet, Opus, Fable). Internal replacement: Qoder.
This sets a precedent for other enterprises evaluating AI coding tools under compliance frameworks — even post-removal builds may face policy bans.
Run claude --version — if 2.1.91–2.1.196, upgrade now.
Check echo $ANTHROPIC_BASE_URL for non-official endpoints.
Upgrade: npm install -g @anthropic-ai/claude-code@latest or claude update.
Full uninstall cleanup: ~/.claude, ~/.claude.json, ~/.cache/claude-code, ~/.config/claude-code.
Re-evaluate proxy usage or switch tools per your risk tolerance.
Inventory all dev machines for Claude Code installs and versions.
Audit ANTHROPIC_BASE_URL across shell profiles and CI configs.
Force upgrade or uninstall on affected builds.
Enable egress filtering — monitor outbound traffic to unauthorized AI endpoints.
Document approved alternatives and align with vendor risk policies.
v2.1.91–2.1.196 shipped undisclosed fingerprinting via steganography. NVDB classified it as a backdoor risk; Anthropic called it an experiment and removed it in 2.1.197.
No — only when ANTHROPIC_BASE_URL pointed to a non-official proxy or gateway.
Code removed in 2.1.197+. Ongoing trust is an organizational policy question — see Alibaba's ban as one data point.
Training a model on another model's outputs. Anthropic said the mechanism targeted unauthorized resellers and distillation pipelines — key context for the US–China AI dispute.
No changelog for any affected version mentioned the mechanism.
Teams auditing egress traffic or sensitive code benefit from a dedicated remote Mac + VNC — verify env vars and permissions graphically, then decommission when done.
Based on publicly available reports from China's MIIT/NVDB, Anthropic's public statements, and independent security research. Informational only — not legal or security audit advice.
Undisclosed steganography in a high-privilege coding agent erodes trust regardless of intent. Running Claude Code on your daily driver with mixed proxy configs makes version and egress audits harder than teams realize. A rented remote Mac gives you an isolated macOS sandbox to verify versions, proxy settings, and outbound traffic via VNC — then shut it down when the audit is done.