China Warns of Backdoors in Claude Code, Urges Caution China's National Vulnerability Database (NVDB) has warned that Claude Code versions from April to June 2026 contain a hidden monitoring mechanism that sends user location, identity, time zone, and domain information to remote servers without consent. Anthropic engineer Thariq Shihipar confirmed the mechanism was an anti-abuse experiment targeting unauthorized resellers and distillation, and stated it would be removed in the next release, though telemetry will remain visible. The warning highlights tensions over unauthorized use of Claude in China and concerns about consent in developer tools. Claude Code is a genuinely capable agentic coding tool. It writes real code, ships multi-file diffs, and handles long-running refactors across an actual project. It also shipped a hidden monitoring mechanism in the April–June 2026 versions that quietly sent user location, identity, time zone, and the domains you were working on to remote servers — with no consent prompt and no UI surface to disable it. Both of those facts are true at the same time. The first is why so many teams built workflows around it. The second is why we're having this conversation. The Wall Street Journal reported, via Tom's Hardware's coverage of the NVDB statement https://www.tomshardware.com/tech-industry/artificial-intelligence/china-alleges-that-claude-code-contains-backdoors-calls-mechanism-a-serious-threat-govt-claims-claude-sends-sensitive-information-to-remote-servers-without-consent , that Claude Code versions released between April and June 2026 "can send sensitive information such as user location and identity to remote servers without the user's consent due to a built-in monitoring mechanism." The trigger was a developer named Troye Sivan, who noticed Claude Code was covertly shipping time zone and domain information specifically targeting Chinese users. That last detail matters. This wasn't a generic telemetry bug. It was directional — aimed at users Anthropic suspected of routing through grey-market resellers. The mechanism knew where it was looking, and it wasn't telling you it was looking. China's National Vulnerability Database NVDB responded by calling the issue a "serious threat" and warning users to either uninstall Claude Code or update to its latest version. Anthropic engineer Thariq Shihipar confirmed on X that the mechanism was an "experiment" the company launched in June "to prevent account abuse from unauthorized resellers and protect against distillation." He added that it "should be fully rolled back in tomorrow's release." Two things in that statement are worth pulling apart. First, the experimental mechanism is being removed. That's the part everyone reads. Second, and more important: tracking functions "will no longer be hidden and will be baked directly into Claude Code" going forward. That sentence is doing a lot of work. It concedes that yes, telemetry is staying in the product. It promises only that it will be visible. A tool that ships telemetry you can see and disable is a normal dev tool. A tool that ships telemetry you discover by reading WSJ is the situation Claude Code just lived through. The difference is consent, and consent is the entire product for any binary that has shell access. On the surface, the NVDB's uninstall-or-update advisory reads as a geopolitical move. Anthropic hasn't approved Claude Code for use in China, and all LLMs operating in the region require government review, which Anthropic's models never went through. So why issue a security warning about a tool nobody's officially allowed to use? Because Chinese developers are clearly still using it. Through grey-market resellers, proxy networks, and routed access — exactly the population the experiment was built to identify. Anthropic has publicly accused Chinese AI labs of distilling Claude twice this year. Earlier in 2026 it said DeepSeek, alongside other Chinese developers, created 24,000 fraudulent accounts to train smaller models. In late June it accused Alibaba of the same thing. There are also reports of Claude API access being resold on the grey market at 90% off through proxy networks. The threat model is real. Reselling distilled access at a 90% discount is a real business. Twenty-four thousand fraudulent accounts is a real number. Anthropic's anti-distillation motive is genuinely defensible. The implementation — silent egress of identity and location to remote servers with no opt-in — is the part that broke trust. Those are different categories of problem and only one of them is on you to fix. You don't need to wait for a press release. Three checks before you run Claude Code again. 1. Confirm what version you have npx @anthropic-ai/claude-code --version If you're below the rollback build, pin it. Don't let a teammate's fresh npm install pull a regressed version: 2. Pin a known-good version in your project so a fresh install on a teammate's box can't pull a regressed build npm pkg set devDependencies.@anthropic-ai/claude-code="