China: Ditch older Claude versions with backdoor code

China: Ditch older Claude versions with backdoor code

China: Ditch older Claude versions with backdoor code

https://www.theregister.com/security/2026/07/08/china-ditch-older-claude-versions-with-backdoor-code/5268371

Publish Date: 2026-07-08 09:58:00

Source Domain: www.theregister.com

Security

National vulnerability database claims monitoring mechanism can forward Chinese users’ data to remote servers

China’s National Vulnerability Database (CNVDB) is urging developers to uninstall recent Claude Code versions over the fear that they can scoop up sensitive user data without consent.

Referring to it as “backdoor code,” the state-run body claimed over WeChat and in an online statement that a “built-in monitoring mechanism” can gather details such as a user’s location and identity, and forward them to remote servers.

It said the alert only applies to Claude Code versions 2.1.91 (April 2) to 2.1.196 (June 29). “It is recommended that relevant units and users immediately conduct a comprehensive investigation,” CNVDB said on Wednesday.

“For development terminals with the above-mentioned affected versions installed, immediately uninstall or upgrade to the latest secure version with the relevant backdoor code removed; strengthen the control of external access permissions and traffic monitoring of development tools within core business network segments to prevent the unauthorized transmission of sensitive data.”

The Register asked Claude maker Anthropic to comment, but it did not immediately respond.

Neither did Anthropic answer our questions last week about its covert code designed to prevent competing AI companies from extracting intel about Claude’s inner workings.

Claude Code engineer Thariq Shihipar stated publicly that Anthropic launched an experiment in March to protect against model distillation – a process by which AI companies try to improve their models by training them on the answers of those that are more advanced.

“The team has landed stronger mitigations since then and we’ve actually been meaning to take this down for a while,” he said. The secret steganography system was removed in version 2.1.198, released on July 1.

We had asked Anthropic whether it disclosed this…

Source