cd /news/ai-safety/secret-tracker-in-claude-code-uncove… · home topics ai-safety article
[ARTICLE · art-49578] src=voi.id ↗ pub= topic=ai-safety verified=true sentiment=↓ negative

Secret Tracker in Claude Code Uncovered, Anthropic Directly Deletes Code

Security researchers uncovered a hidden tracking code in Anthropic's Claude Code AI tool that monitored users in China, prompting Anthropic to delete the code after public outcry. Anthropic engineer Thariq Shihipar confirmed the tracker was an experiment to prevent unauthorized account abuse and distillation attacks, but privacy advocates condemned the stealthy surveillance as a breach of trust. The incident led Alibaba to ban its employees from using Claude Code, citing backdoor risks.

read4 min views1 publishedJul 7, 2026
Secret Tracker in Claude Code Uncovered, Anthropic Directly Deletes Code
Image: source

JAKARTA - Anthropic is facing the spotlight after a hidden tracking code in the Claude Code was dismantled by security researchers. The code is said to monitor users in China and is immediately deleted after the findings became a public concern.

Quoted from Ars Technica, Tuesday, July 7, the code was discovered by a web developer known as Thereallo while researching privacy issues in Claude Code. He called the tracking similar to spyware and a "serious breach of user trust".

Claude Code is an AI-based tool from Anthropic that helps developers write, read, and improve code. Because it works closely with files and commands on the user's computer, tracking silently in this kind of tool becomes a sensitive issue.

According to Thereallo, Anthropic uses the "prompt steganography" technique to hide markers in the system. Simply put, steganography is a way of inserting a hidden message or signal in a seemingly ordinary place.

The code is not said to be dangerous. However, it sends information to Anthropic without the user easily realizing it. The information includes time zones, proxy usage, and the possibility of a user's relationship with the Chinese AI laboratory that Anthropic is accused of carrying out a distillation attack.

At X, Anthropic engineer Thariq Shihipar admitted that the tracker was added to Claude Code as an "experiment" in March. He said the code was created to prevent unauthorized account abuse by unofficial resellers and protect Anthropic from distillation.

Distillation in AI is the process of using the output of one model to train or accelerate the development of another model. The practice is not automatically illegal, but it can violate the terms of service if it is done by having a model like Claude respond millions of times to mimic its capabilities.

Shihipar said Anthropic actually intended to delete the code because the technical team had implemented stronger protection.

However, the explanation did not ease the criticism. Privacy advocates judged Anthropic to have crossed the line by choosing a hidden way to monitor users. The spotlight is getting sharper because Anthropic previously refused the use of Claude by the US government to monitor users in the United States.

Ars Technica wrote, this incident came as US AI companies were increasingly aggressive in slowing down Chinese companies that were suspected of imitating their models. The Washington Post reported that Chinese companies in the past year have been able to match the capabilities of US models in just a few months.

Anthropic also encourages that distillation attacks be treated as intellectual property theft. The company joined OpenAI in urging the US government to take stricter legal and export policy measures.

The impact of this finding was immediately felt in China. The South China Morning Post reported that Alibaba banned its employees from using Claude Code for work. In an internal memo reviewed by SCMP, Claude Code was said to carry the risk of "backdoors" and was included in the list of high-risk software.

Alibaba has not commented on Anthropic's allegations regarding distillation. However, Reuters reported that the company risks facing legal and compliance issues if it is found to have violated Anthropic's provisions.

Anthropic is now in a difficult position. The company wants to protect its AI model from imitation. However, the stealthy way opens up a new problem, namely user trust.

Thereallo menilai Anthropic sebenarnya bisa memilih cara lebih terbuka. Jika ingin mendeteksi jalur akses tidak resmi ke Claude atau penyalahgunaan akun, perusahaan dapat membuat penjelasan resmi, dokumentasi, atau catatan rilis.

"This is not a dangerous feature, but it's a strange choice for a developer tool that asks for trust," Thereallo wrote on his blog.

He also reminded that AI-based coding tools are already in sensitive areas. Such tools can check codes, run commands, install packages, edit files, and even push commits on the user's computer.

"Hiding the signal in the prompt system makes any other privacy claim more difficult to believe," said Thereallo.

Ars Technica wrote that Anthropic did not immediately respond to his request for comment. However, to The Washington Post, an Anthropic spokesperson said the distillation attack by the Chinese laboratory was a serious threat to national security and undermined AI security standards in the industry.

*The English, Chinese, Japanese, Arabic, and French versions are automatically generated by the AI. So there may still be inaccuracies in translating, please always see Indonesian as our main language.

(system supported by DigitalSiber.id)*

[

Add VOI as a Preferred Source Follow VOI news updates across Google. +

](https://www.google.com/preferences/source?q=https://voi.id)

Most Popular Tags

[#Prabowo Subianto](https://voi.id/en/tag/15/prabowo-subianto)

[#donald trump](https://voi.id/en/tag/29/donald-trump)

[#2026 World Cup](https://voi.id/en/tag/9889/piala-dunia-2026)

[#venezuela](https://voi.id/en/tag/12084/venezuela)

[#konflik timur tengah](https://voi.id/en/tag/18400/konflik-timur-tengah)
── more in #ai-safety 4 stories · sorted by recency
── more on @anthropic 3 stories trending now
sponsored brought to you by zahid.host 4,200+ EU-deployed projects
reading about agents? ship yours in a single git push.

Run your AI side-project on zahid.host

EU-based hosting, git-push deploys, automatic HTTPS, no cold starts. Free tier with a custom domain — perfect for shipping the agent you just read about.

$git push zahid main
Live at https://your-agent.zahid.host
Get free account → Pricing
from €0/mo · no card required
LIVE [news/secret-tracker-in-cl…] indexed:0 read:4min 2026-07-07 ·