Alibaba has banned employees from using Anthropic's Claude Code at work, effective July 10, after developers found the coding tool carried hidden code that fingerprinted users routing requests through China-linked networks, according to an internal notice reported by the South China Morning Post. The notice classified Claude Code as "high-risk software with security vulnerabilities" and told staff to use Alibaba's own coding agent, Qoder, instead. Reuters confirmed the order through a person familiar with it and said the move deepens a dispute that began when Anthropic accused Alibaba of illicitly extracting Claude's capabilities.

The hidden mechanism was first documented on June 30 by a Reddit user identified as LegitMichel777, who reverse-engineered the Claude Code binary while trying to restore a disabled feature and found obfuscated code that had been present since version 2.1.91, released April 2. A developer who writes under the name Thereallo published a function-level breakdown the same day. The April release notes made no mention of the check, LegitMichel777 wrote.

Key Takeaways

AI-generated summary, reviewed by an editor. More on our AI guidelines.

The code ran only when a user pointed Claude Code at a custom API endpoint through the ANTHROPIC_BASE_URL environment variable rather than Anthropic's own servers, according to Thereallo's analysis. It then checked whether the system timezone was set to Asia/Shanghai or Asia/Urumqi and compared the proxy hostname against a hardcoded list of Chinese corporate domains and AI-lab keywords, among them deepseek, moonshot and zhipu. Both lists were stored in the binary as base64 strings and decoded at runtime with an XOR key of 91, an obfuscation method Tech Times noted is more commonly associated with hiding malware from analysis tools than with production developer software.

The client did not send the result as a separate telemetry field. It encoded the classification into the "Today's date is" line that Claude Code inserts into every system prompt, according to Thereallo. A Chinese timezone switched the date separator from a dash to a slash, and the apostrophe in the word "Today's" was swapped among four visually identical Unicode characters to signal whether the hostname matched the domain list, the lab-keyword list, both or neither. The changes are invisible to a reader and to the model, Thereallo wrote, but machine-readable by Anthropic's servers on every request.

Thariq Shihipar, an engineer on the Claude Code team, acknowledged the code on X and described it as "an experiment we launched in March that was meant to prevent account abuse from unauthorized resellers and protect against distillation." He said the team had "landed stronger mitigations since then" and had been "meaning to take this down for a while," and that the pull request to remove it had been merged. Anthropic published version 2.1.197 on July 1, though its changelog did not mention the removal. Asked whether the tracking had been disclosed in any terms-of-service document, a company spokesperson pointed back to Shihipar's remarks, which did not address the question, The Register reported.

Security researcher Adnane Khan published a verification report confirming the mechanism in versions 2.1.193, 2.1.195 and 2.1.196 and called it "a covert information channel embedded in system prompts." Thereallo wrote that detecting a reseller domain or a rival lab's hostname is a defensible signal, but that concealing it was not: "This is not a malicious feature, but it is a weird choice for a developer tool that asks for trust." He and other researchers noted the control is simple to evade by changing a hostname or a timezone, which leaves it capturing legitimate developers who route through corporate gateways rather than the distillation pipelines it targets.

Know someone who'd find this useful? ✉️ Email it to a friend in one click, or they can subscribe free here.

Claude Code reads, edits and runs files on a developer's machine, so any undisclosed behavior in the client inherits that reach. Huorong Security, a Chinese security firm, said the tracking was not only a transparency problem but also raised cross-border data-compliance concerns, according to the South China Morning Post.

Anthropic does not sell Claude in China and has spent months accusing Chinese labs of copying its models. In a June 10 letter to U.S. senators, the company said operators linked to Alibaba's Qwen lab had run the largest known distillation campaign against Claude. Lizzi Lee, a fellow at the Asia Society Policy Institute's Center for China Analysis, said the ban followed from that posture. "If a US AI coding tool can detect Chinese usage or proxy access, then it's not surprising for major Chinese tech companies to not want employees using it internally," she told the South China Morning Post.

The rollback landed the same week Anthropic restored two of its models. The company had disabled Fable 5 and Mythos 5 in mid-June to comply with U.S. Commerce Department export controls, then brought them back on July 2 after officials lifted the order, saying it would expand its work with the U.S. government on frontier-model security. Alibaba's ban takes effect July 10.

Frequently Asked Questions

Why did Alibaba ban Claude Code?

An internal notice reported by the South China Morning Post classified Claude Code as high-risk software after researchers found hidden code that fingerprinted China-linked users. The ban takes effect July 10, and Alibaba told staff to use its own Qoder agent instead.

What did the hidden code in Claude Code do?

When a user pointed Claude Code at a custom API endpoint, it checked the system timezone and proxy hostname against lists of Chinese domains and AI labs, then encoded the result into invisible Unicode changes in the "Today's date is" line of the system prompt.

How did Anthropic respond?

Claude Code engineer Thariq Shihipar called the code an experiment launched in March to curb reseller abuse and distillation, said stronger protections had since shipped, and confirmed it was removed in version 2.1.197 on July 1.

Is the tracking still in Claude Code?

Anthropic says it was removed in version 2.1.197, published July 1, though that release's changelog did not mention the change. Researchers verified the mechanism in versions 2.1.193, 2.1.195 and 2.1.196.

What is adversarial distillation?

It is training a model on another model's outputs. Anthropic has accused Alibaba's Qwen lab of running the largest known distillation campaign against Claude, which it says the hidden code was meant to help detect.

AI-generated summary, reviewed by an editor. More on our AI guidelines.

Commerce Department Lifts Export Controls on Anthropic's Fable 5 and Mythos 5
Anthropic said Tuesday that the U.S. Department of Commerce has lifted the export controls it imposed on the company's Claude Fable 5 and Mythos 5 models on June 12, and that it would begin restoring
Zuckerberg and Bezos Learn the Cost of Access
San Francisco | Friday, June 19, 2026 Trump is turning Silicon Valley access into content. Haberman and Swan report he showed visitors private outreach from Zuckerberg and Bezos after the election,
Anthropic Routes High-Risk Fable 5 Queries to Opus 4.8 in Public Rollout
"When Fable's classifiers detect a request related to cybersecurity, biology and chemistry, or distillation, the response is automatically handled by Claude Opus 4.8 instead," Anthropic wrote Tuesday
AI News

San Francisco

Editor-in-Chief and founder of Implicator.ai. Former ARD correspondent and senior broadcast journalist with 10+ years covering tech. Writes daily briefings on policy and market developments. Based in San Francisco. E-mail: editor@implicator.ai